| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | oleg yusim <olegyusim(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Session Identifiers |
| Date: | 2015-12-20 17:53:56 |
| Message-ID: | CAFj8pRBdRVPiDOy0H+gucxs5v6rD2u=C3KLhUSBPb3hm+wrSPA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
2015-12-20 18:45 GMT+01:00 oleg yusim <olegyusim(at)gmail(dot)com>:
> So Pavel, are are saying there is no such thing as Session ID in
> PostgreSQL DB at all? Everything is tight to the process, session is
> accociated with, so in essence pid is session id?
>
There is backendId and processid, but these id are valid only for one
session, and after logout these ids are invalid - usually they are used for
fast access to static shared arrays - PGPROC array and similar - mainly for
info about snapshots and locks. These arrays are static - new sessions
immediately reuse space after destroyed sessions.
But there are not any info comparable with session id on web applications.
It is significantly different architecture - fast, simply and different.
Pavel
>
> Oleg
>
> On Sun, Dec 20, 2015 at 11:40 AM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>
> wrote:
>
>>
>>
>> 2015-12-20 18:37 GMT+01:00 oleg yusim <olegyusim(at)gmail(dot)com>:
>>
>>> Tom,
>>>
>>> I understand the idea that for external communication you rely on SSL.
>>> However, how about me opening psql prompt into the database directly from
>>> my Linux box, my db is installed at? I thought, it would be considered
>>> local connection and would not go through the SSL channels. If that is the
>>> case, here we would be dealing with Session IDs belonging to DB itself, not
>>> OpenSSL.
>>>
>>
>> all necessary data are stored local in process memory. No session ID is
>> required.
>>
>> Pavel
>>
>>
>>>
>>> Please, correct me if I'm wrong.
>>>
>>> Thanks,
>>>
>>> Oleg
>>>
>>> On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>>
>>>> oleg yusim <olegyusim(at)gmail(dot)com> writes:
>>>> > Got it, thanks... Now, is it any protection in place currently against
>>>> > replacing Session ID (my understanding, it is kept in memory,
>>>> belonging to
>>>> > the session process) or against guessing Session ID (i.e. is Session
>>>> ID
>>>> > generated using FIPS 140-2 compliant algorithms, or anything of that
>>>> sort)?
>>>>
>>>> I don't think Postgres even has any concept that matches what you seem
>>>> to think a Session ID is.
>>>>
>>>> If you're looking for communication security/integrity checking, that's
>>>> something we leave to other software such as SSL.
>>>>
>>>> regards, tom lane
>>>>
>>>
>>>
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitry Igrishin | 2015-12-20 17:56:04 | Re: Session Identifiers |
| Previous Message | oleg yusim | 2015-12-20 17:45:26 | Re: Session Identifiers |