Quick Links

Re: Generating unique session ids

From:	Alvaro Herrera <alvherre(at)commandprompt(dot)com>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>, Lexington Luthor <Lexington(dot)Luthor(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org
Subject:	Re: Generating unique session ids
Date:	2006-07-27 13:55:21
Message-ID:	20060727135520.GB17440@surnet.cl
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

Tom Lane wrote:

> > * Any database user is most of the time able to read function
> > bodies, so anybody who is able co connect to your database will be
> > able to get your 'secret_salt' and then predict session id's.
>
> Yeah, it's not clear where to hide the secret.

In a memfrob'ed (or something better probably) area in a C function?

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

In response to

Re: Generating unique session ids at 2006-07-27 13:39:40 from Tom Lane

Responses

Re: Generating unique session ids at 2006-07-27 14:11:23 from Rodrigo Gonzalez
Re: Generating unique session ids at 2006-07-27 15:40:22 from Joshua D. Drake

Browse pgsql-general by date

	From	Date	Subject
Next Message	Markus Schiltknecht	2006-07-27 14:07:13	Re: Database Oid from SPI
Previous Message	Tom Lane	2006-07-27 13:39:40	Re: Generating unique session ids