2015-12-20 18:45 GMT+01:00 oleg yusim <olegyu...@gmail.com>: > So Pavel, are are saying there is no such thing as Session ID in > PostgreSQL DB at all? Everything is tight to the process, session is > accociated with, so in essence pid is session id? >
There is backendId and processid, but these id are valid only for one session, and after logout these ids are invalid - usually they are used for fast access to static shared arrays - PGPROC array and similar - mainly for info about snapshots and locks. These arrays are static - new sessions immediately reuse space after destroyed sessions. But there are not any info comparable with session id on web applications. It is significantly different architecture - fast, simply and different. Pavel > > Oleg > > On Sun, Dec 20, 2015 at 11:40 AM, Pavel Stehule <pavel.steh...@gmail.com> > wrote: > >> >> >> 2015-12-20 18:37 GMT+01:00 oleg yusim <olegyu...@gmail.com>: >> >>> Tom, >>> >>> I understand the idea that for external communication you rely on SSL. >>> However, how about me opening psql prompt into the database directly from >>> my Linux box, my db is installed at? I thought, it would be considered >>> local connection and would not go through the SSL channels. If that is the >>> case, here we would be dealing with Session IDs belonging to DB itself, not >>> OpenSSL. >>> >> >> all necessary data are stored local in process memory. No session ID is >> required. >> >> Pavel >> >> >>> >>> Please, correct me if I'm wrong. >>> >>> Thanks, >>> >>> Oleg >>> >>> On Sun, Dec 20, 2015 at 11:28 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >>> >>>> oleg yusim <olegyu...@gmail.com> writes: >>>> > Got it, thanks... Now, is it any protection in place currently against >>>> > replacing Session ID (my understanding, it is kept in memory, >>>> belonging to >>>> > the session process) or against guessing Session ID (i.e. is Session >>>> ID >>>> > generated using FIPS 140-2 compliant algorithms, or anything of that >>>> sort)? >>>> >>>> I don't think Postgres even has any concept that matches what you seem >>>> to think a Session ID is. >>>> >>>> If you're looking for communication security/integrity checking, that's >>>> something we leave to other software such as SSL. >>>> >>>> regards, tom lane >>>> >>> >>> >> >
