| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | oleg yusim <olegyusim(at)gmail(dot)com> |
| Cc: | PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Session Identifiers |
| Date: | 2015-12-20 16:08:46 |
| Message-ID: | CAFj8pRBEHtoJ_ihfNN+favjBCMxkNC9iveRfytZZf-Saq7zJfg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi
2015-12-20 16:16 GMT+01:00 oleg yusim <olegyusim(at)gmail(dot)com>:
> Greetings!
>
> I'm new to PostgreSQL, working on it from the point of view of Cyber
> Security assessment. In regards to the here is my questions:
>
> From the security standpoint we have to assure that database invalidates
> session identifiers upon user logout or other session termination (timeout
> counts too).
>
> Does PostgreSQL perform this type of actions? If so, where are those
> Session IDs are stored, so I can verify it?
>
Postgres is based on processes - for any session is created new process
when user is logged and this process is destroyed when user does logout.
Almost all data are in process memory only, but shared data related to
sessions are stored in shared memory - in array of PGPROC structures.
Postgres invalidates these data immediately when process is destroyed.
Search PGPROC in our code. Look to postmaster.c, where these operations are
described.
What I know, there are not any other session data - so when process is
destroyed, then all is destroyed by o.s.
Can be totally different if you use some connection pooler like pgpool or
pgbouncer - these applications can reuse Postgres server sessions for more
user sessions.
Regards
Pavel
>
> Thanks,
>
> Oleg
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Kretschmer | 2015-12-20 16:18:34 | Re: Unique index problem |
| Previous Message | Andreas Kretschmer | 2015-12-20 16:04:17 | Re: Unique index problem |