Thursday, May 15, 2008

Re: [GENERAL] Password safe web application with postgre

You could try to have a function in your application that encrypts the connection string and store it in a session variable.  When you need it you decrypted from the session variables.  Session variables are stored as files on the server, therefore the risk is not as high.

Just a thought.

Fernando.

Bohdan Linda wrote:
Hello,  I have the following problem. A multiuser app has authentization and authorization done based on pgsql.  The frontend is web based so it is stateless; it is connecting to database on every get/post. There is also a requirement that the user is transparently logged in for some period of time.  Tha most easy way is to store login credentials into the session. The drawback is that session is stored in file, so the credentials are readable. I want to avoid it.   My first step was hashing the password with the same mechanizm as pgsql does, but I am not able to pass it to the server. I did some research with mighty google and found reply by Tom Lane:  "No, you need to put the plain text of the password into the connInfo. Knowing the md5 doesn't prove you know the password. "  Thus the next logical step is keeping sessions in servers memory rather than files. Memory dump could compromise it, but this is acceptable risk.  I would like to ask you, if someone had solved this problem is some more elegant way.  Thank you, Bohdan     

No comments: