John R Pierce wrote: > On 2/12/2016 5:20 AM, Lesley Kimmel wrote: >> Thanks for the reply Laurenz. Of course the first thing that I thought >> of to prevent man-in-the-middle was SSL. However, I also like to try >> to address the issue in a way that seems to get at what they are >> intending. It seemed to me that they wanted to do some configuration >> within the database related to session IDs. > > when the connection is broken, the process exits and the session ceases > to exist. there are no 'session IDs' to speak of (they are process > IDs instead, but a new process mandates new authentication, there's no > residual authorizations associated with a PID).
I might be misunderstanding, but is there any connection to a man-in-the-middle attack? Without SSL, anybody who can tap into the TCP communication can inject SQL statements. No session ID is required. Yours, Laurenz Albe -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
