Search Postgresql Archives

Philosophical question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I asked elsewhere about the best way to store db credentials within a user-session of a web-app.

It appeared that it was for everybody but me evident that instead of heaving a db-role+passwd for every user of an application it was better to have just 1 set of db-credentials for the application and recreate a user management within the app instead using the existing user handling of the dbms.

That way the app checks the user's password as a md5 in some table and remembers "user is logged in" for later. The actual queries would be done with a common set of real db credentials.

Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB instead of the app.

Con: A bug in the app could give anyone the access level of the app's credentials which might offer admin rights if such power is needed at least for some users.


What's your opinion?

--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux