From: | Andrew Sullivan <ajs(at)crankycanuck(dot)ca> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: password cookie |
Date: | 2006-10-26 14:57:03 |
Message-ID: | 20061026145703.GB5667@phlogiston.dyndns.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Thu, Oct 26, 2006 at 12:27:49AM +0200, Willy-Bas Loos wrote:
> or will not receive those, because of the rights granted to him. These
> granted rights and roles will be determined by the regular postgres
> functionality (and some views).
Ah, that's a different matter. My suggestion is "don't do that".
I tried to do it once, years ago, and regretted it deeply. Of
course, my code was awful, and yours might be better. But in my
view, that's a security problem just waiting to happen. You're
better off to have one user in your application that does the
authentication for you. You can use Kerberos or something to
authenticate it; much easier to lock down one such user carefully,
that comes only from boxes under your control, than to secure many
users' accounts.
If you want to do it this way, I sure wouldn't use cookies to store
the password. I think you're asking for a compromise that way.
A
--
Andrew Sullivan | ajs(at)crankycanuck(dot)ca
The fact that technology doesn't work is no bar to success in the marketplace.
--Philip Greenspun
From | Date | Subject | |
---|---|---|---|
Next Message | Walter Vaughan | 2006-10-26 16:17:41 | Re: PostgreSQL in article I wrote |
Previous Message | Tom Lane | 2006-10-26 13:57:17 | Re: pg_dumpall failing from possible corrupted shared memory |