Hi Pavel, Thanks, for your response, it helps. Now, from my observations (PostgreSQL 9.4.5, installed on Linux box), if I enter psql prompt at my ssh to the box session and leave it open like that, it doesn't time out. Is it really a case? Session to PostgreSQL DB doesn't terminate on timeout (or rather doesn't have one), or I just happened to miss configuration option?
Thanks, Oleg On Sun, Dec 20, 2015 at 10:08 AM, Pavel Stehule <pavel.steh...@gmail.com> wrote: > Hi > > 2015-12-20 16:16 GMT+01:00 oleg yusim <olegyu...@gmail.com>: > >> Greetings! >> >> I'm new to PostgreSQL, working on it from the point of view of Cyber >> Security assessment. In regards to the here is my questions: >> >> From the security standpoint we have to assure that database invalidates >> session identifiers upon user logout or other session termination (timeout >> counts too). >> >> Does PostgreSQL perform this type of actions? If so, where are those >> Session IDs are stored, so I can verify it? >> > > Postgres is based on processes - for any session is created new process > when user is logged and this process is destroyed when user does logout. > Almost all data are in process memory only, but shared data related to > sessions are stored in shared memory - in array of PGPROC structures. > Postgres invalidates these data immediately when process is destroyed. > Search PGPROC in our code. Look to postmaster.c, where these operations are > described. > > What I know, there are not any other session data - so when process is > destroyed, then all is destroyed by o.s. > > Can be totally different if you use some connection pooler like pgpool or > pgbouncer - these applications can reuse Postgres server sessions for more > user sessions. > > Regards > > Pavel > > >> >> Thanks, >> >> Oleg >> > >