On 10/2/07, Joshua D. Drake <..hidden..> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ashley J Gittins wrote:
> As I understand it (and I am pretty likely to get this wrong so feel free to
> point that out) the only reason we have to send the user/pass on every http
> request is because of the change to using postgresql to authenticate every
> request (ie, server-side, LSMB logs into psql as the actual user), therefore
> requiring the password to do so.
>
> I remember trying to make the point some time ago that maybe LSMB should
> connect as it's own user, then use postgres' role-switching abilities to
> become the connected user after connection. As I understand it this can be
> done without having to supply the user's password.
Are you talking about set session authorization?
From the associated docs for PostgreSQL:
" The session user identifier can be changed only if the initial session
user (the authenticated user) had the
superuser privilege. Otherwise, the command is accepted only if it
specifies the authenticated user name."
I don;t think we want to connect initially as a db superuser just in order to do this.
Similarly set role could be somewhat problematic because again, we have to do all the auth ourselves first, and any SQL injection prior to that might allow one to assume the role of any other user. I think that this is a larger risk than using HTTP auth.
> Additionally, I think using http-auth would be a step backwards, given that
> some browsers are pretty unpredictable with the credentials (tell me a way to
> make a browser reliably "forget" credentials? afaik, there isn't one)
Yes there is. You close the browser. :)