Re: Session Identifiers

2015-12-20 18:37 GMT+01:00 oleg yusim <olegyusim(at)gmail(dot)com>:

> Tom,
>
> I understand the idea that for external communication you rely on SSL.
> However, how about me opening psql prompt into the database directly from
> my Linux box, my db is installed at? I thought, it would be considered
> local connection and would not go through the SSL channels. If that is the
> case, here we would be dealing with Session IDs belonging to DB itself, not
> OpenSSL.
>

all necessary data are stored local in process memory. No session ID is
required.

Pavel

>
> Please, correct me if I'm wrong.
>
> Thanks,
>
> Oleg
>
> On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
>> oleg yusim <olegyusim(at)gmail(dot)com> writes:
>> > Got it, thanks... Now, is it any protection in place currently against
>> > replacing Session ID (my understanding, it is kept in memory, belonging
>> to
>> > the session process) or against guessing Session ID (i.e. is Session ID
>> > generated using FIPS 140-2 compliant algorithms, or anything of that
>> sort)?
>>
>> I don't think Postgres even has any concept that matches what you seem
>> to think a Session ID is.
>>
>> If you're looking for communication security/integrity checking, that's
>> something we leave to other software such as SSL.
>>
>> regards, tom lane
>>
>
>