Robert Haas <robertmh...@gmail.com> writes: > -- might need some defense against the redirected-to server getting > the same password as was sent to the original server. Is that a > security risk? Does HTTP have a rule about this?
Without having read any of the previous discussion ... I'd say that if the redirect info is placed in pg_hba.conf then I would expect a redirect to happen before any authentication exchange, so that this is not an issue. Perhaps it would be a good security measure for clients to refuse a redirect once they've sent any auth-related messages. But ... pg_hba.conf? Really? Surely that is a completely random and inappropriate place to control redirection? regards, tom lane