Changing session ownership in a web app (or how to peel an onion)

Hi All,

Earlier this year there was a discussion between Tom and Ezra regarding extending 'set session authorization' to facilitate changing
the identity of a connection. A synopsis of the discussion is that Tom felt this was bad and the web application should have more
responsibility for handling session security.

I need to implement some session based authentication / authorization and would like to learn from others experience before
embarking too far down this path.

Some constraints:

1/ I'm not keen on embedding secret passwords in a web config file but if I have to I will (*sigh*).

2/ The user names used in the authentication credentials (from the perspective of the user) are _NOT_ the same as those internally
used in postgres. (Postgres has strict limitations on usernames which make using them for users impractical.)

3/ I want to use cookies and session based authentication (rather than continually use a username password tuple for each request).
(But then you could rationalize that the username / password could be reversed out of the session key so this may be a mute point -
it will be over a secure connection).

To meet these constraints it would appear necessary to:

1/ Run an external mapping of human usernames to postgres user names (or burn a connect / disconnect cycle to the db).

2/ Connect using the credentials (mapped username) and provided password

3/ Work as necessary (using connected uid)

4/ Disconnect

Is this the best (or only) technique?

If any one has any suggestions or experience in this then I'd appreciate hearing them.

Thanks in advance,

-Greg