Philosophical question

From: Andreas <maps(dot)on(at)gmx(dot)net>
To: pgsql-general(at)postgresql(dot)org
Subject: Philosophical question
Date: 2011-12-14 12:32:47
Message-ID: 4EE8976F.7000204@gmx.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hi,

I asked elsewhere about the best way to store db credentials within a
user-session of a web-app.

It appeared that it was for everybody but me evident that instead of
heaving a db-role+passwd for every user of an application it was better
to have just 1 set of db-credentials for the application and recreate a
user management within the app instead using the existing user handling
of the dbms.

That way the app checks the user's password as a md5 in some table and
remembers "user is logged in" for later. The actual queries would be
done with a common set of real db credentials.

Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB
instead of the app.

Con: A bug in the app could give anyone the access level of the app's
credentials which might offer admin rights if such power is needed at
least for some users.

What's your opinion?

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Serge Fonville 2011-12-14 12:52:55 Re: Philosophical question
Previous Message Raymond O'Donnell 2011-12-14 11:11:26 Re: why can't my account be used at wiki.postgresql.org after having registered in www.postgresql.org?