Password safe web application with postgre

From: Bohdan Linda <bohdan(dot)linda(at)seznam(dot)cz>
To: pgsql-general(at)postgresql(dot)org
Subject: Password safe web application with postgre
Date: 2008-05-15 08:50:29
Message-ID: 20080515085029.GA15635@bafster.baflabs.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hello,

I have the following problem. A multiuser app has authentization and
authorization done based on pgsql.

The frontend is web based so it is stateless; it is connecting to database
on every get/post. There is also a requirement that the user is
transparently logged in for some period of time.

Tha most easy way is to store login credentials into the session. The
drawback is that session is stored in file, so the credentials are
readable. I want to avoid it.

My first step was hashing the password with the same mechanizm as pgsql
does, but I am not able to pass it to the server. I did some research with
mighty google and found reply by Tom Lane:

"No, you need to put the plain text of the password into the connInfo.
Knowing the md5 doesn't prove you know the password. "

Thus the next logical step is keeping sessions in servers memory rather
than files. Memory dump could compromise it, but this is acceptable risk.

I would like to ask you, if someone had solved this problem is some more
elegant way.

Thank you,
Bohdan

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Pavan Deolasee 2008-05-15 09:07:10 Re: Need for help!
Previous Message Pavan Deolasee 2008-05-15 08:50:14 Re: Problem with transaction isolation level