Re: password cookie

From: Andrew Sullivan <ajs(at)crankycanuck(dot)ca>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: password cookie
Date: 2006-10-26 14:57:03
Message-ID: 20061026145703.GB5667@phlogiston.dyndns.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Thu, Oct 26, 2006 at 12:27:49AM +0200, Willy-Bas Loos wrote:
> or will not receive those, because of the rights granted to him. These
> granted rights and roles will be determined by the regular postgres
> functionality (and some views).

Ah, that's a different matter. My suggestion is "don't do that".
I tried to do it once, years ago, and regretted it deeply. Of
course, my code was awful, and yours might be better. But in my
view, that's a security problem just waiting to happen. You're
better off to have one user in your application that does the
authentication for you. You can use Kerberos or something to
authenticate it; much easier to lock down one such user carefully,
that comes only from boxes under your control, than to secure many
users' accounts.

If you want to do it this way, I sure wouldn't use cookies to store
the password. I think you're asking for a compromise that way.

A

--
Andrew Sullivan | ajs(at)crankycanuck(dot)ca
The fact that technology doesn't work is no bar to success in the marketplace.
--Philip Greenspun

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Walter Vaughan 2006-10-26 16:17:41 Re: PostgreSQL in article I wrote
Previous Message Tom Lane 2006-10-26 13:57:17 Re: pg_dumpall failing from possible corrupted shared memory