Andreas wrote: > I asked elsewhere about the best way to store db credentials within a > user-session of a web-app. > > It appeared that it was for everybody but me evident that instead of > heaving a db-role+passwd for every user of an application it was better > to have just 1 set of db-credentials for the application and recreate a > user management within the app instead using the existing user handling > of the dbms. > > That way the app checks the user's password as a md5 in some table and > remembers "user is logged in" for later. The actual queries would be > done with a common set of real db credentials. > > Pro: Noone could bypass the app and use e.g. pgAdmin to access the DB > instead of the app. > > Con: A bug in the app could give anyone the access level of the app's > credentials which might offer admin rights if such power is needed at > least for some users. > > > What's your opinion? You forgot the most important pro: If the web application server uses a single database user, you can use connection pooling, i.e. reuse connections instead of maintaining one connection per database user. This will boost performance. True, you could have a connection pool and use ALTER SESSION AUTHORIZATION to become a certain database user for one request, but that means that the application server login user must be a superuser, which is a terrible idea. Yours, Laurenz Albe -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
