Hi Melvin, Thank you very much, that logging option really helps (I need to give instructions, people, who are not very code literate should be capable of executing). And, point taken about exact version and enviornment - PostgreSQL 9.4.5, Linux box.
Thanks, Oleg On Sun, Dec 20, 2015 at 10:19 AM, Melvin Davidson <melvin6...@gmail.com> wrote: > PostgreSQL does not "store" the session_id per se in any system > catalogs/tables, however, you can configure the log_line_prefix in > postgresql.conf to record it for each connection. It will then be stored in > the postgresql log file. > Please not that in the future, it is always helpful to provide the exact > version of PostgreSQL and the O/S you are working with. > > On Sun, Dec 20, 2015 at 11:08 AM, Pavel Stehule <pavel.steh...@gmail.com> > wrote: > >> Hi >> >> 2015-12-20 16:16 GMT+01:00 oleg yusim <olegyu...@gmail.com>: >> >>> Greetings! >>> >>> I'm new to PostgreSQL, working on it from the point of view of Cyber >>> Security assessment. In regards to the here is my questions: >>> >>> From the security standpoint we have to assure that database invalidates >>> session identifiers upon user logout or other session termination (timeout >>> counts too). >>> >>> Does PostgreSQL perform this type of actions? If so, where are those >>> Session IDs are stored, so I can verify it? >>> >> >> Postgres is based on processes - for any session is created new process >> when user is logged and this process is destroyed when user does logout. >> Almost all data are in process memory only, but shared data related to >> sessions are stored in shared memory - in array of PGPROC structures. >> Postgres invalidates these data immediately when process is destroyed. >> Search PGPROC in our code. Look to postmaster.c, where these operations are >> described. >> >> What I know, there are not any other session data - so when process is >> destroyed, then all is destroyed by o.s. >> >> Can be totally different if you use some connection pooler like pgpool or >> pgbouncer - these applications can reuse Postgres server sessions for more >> user sessions. >> >> Regards >> >> Pavel >> >> >>> >>> Thanks, >>> >>> Oleg >>> >> >> > > > -- > *Melvin Davidson* > I reserve the right to fantasize. Whether or not you > wish to share my fantasy is entirely up to you. >
