public inbox for [email protected]  
help / color / mirror / Atom feed
From: Zsolt Parragi <[email protected]>
To: Ajit Awekar <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: Jelte Fennema-Nio <[email protected]>
Cc: Hannu Krosing <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Cc: Dave Cramer <[email protected]>
Cc: Heikki Linnakangas <[email protected]>
Subject: Re: Periodic authorization expiration checks using GoAway message
Date: Thu, 22 Jan 2026 07:40:38 +0000
Message-ID: <CAN4CZFNPNm6XWa8QtoYuGatARMddSUDHReW6o8Y5k4kTHm4sDQ@mail.gmail.com> (raw)
In-Reply-To: <CAER375OZojMNP+_Gs4PeatbmbkfOfJ=fxJJ0U15HChnQJfLuUA@mail.gmail.com>
References: <CAER375OvH3_ONmc-SgUFpA6gv_d6eNj2KdZktzo-f_uqNwwWNw@mail.gmail.com>
	<CAGECzQS7Eab2vFBgE8DAq1RnTVoYb0a5X7iMyaNvApAHA7Qm2A@mail.gmail.com>
	<CAMT0RQQTahXBBDRsB9z9wzvB7y9iYO7XiVfTX+2-7DKebxcbrw@mail.gmail.com>
	<CAOYmi+kpSN9MPxP_XeRHVCXP4FcN+n+5hrCdKD9qM9KXSGKhSw@mail.gmail.com>
	<CAGECzQQb6aNZc9MepaEo6Dk2czjZFwPgAuBOp-opdKpuuhVqPA@mail.gmail.com>
	<CAOYmi+mSn8xQ7ExqY07V6G2oFXN2nY+7f4yf_RV2=7xNCKwW-Q@mail.gmail.com>
	<CAGECzQR2P8aO9tDnavLupaTAvD3Fv5e=rq0nfJ=NzT=_U2Wn5g@mail.gmail.com>
	<CAN4CZFOKaU2dfO8Sq_0tAkcq1qq9jcXYKLmEBNDt=M1P3BV5yg@mail.gmail.com>
	<CAOYmi+=fP-df=d64LC=UX0kEGktrHhJ6Wqgt8Y_XhSewmLuixQ@mail.gmail.com>
	<CAN4CZFPMMkbMYMnUE1wqHix22yFNbVm3gP49Fbk_4pKbPYme7g@mail.gmail.com>
	<CAER375Oq7gHy9WSAkRwb6AJVUs7BkSuyi1crQCNfi+kvyB6uVQ@mail.gmail.com>
	<CAOYmi+mb+fo++GvHNtcT2aspRL0jh1cSM7buEca=s9RYtFRfNA@mail.gmail.com>
	<CAER375PhPdkcapQBUx4kHw82KS1LtTfBgvZ_EpOYqK0n1s5Gpw@mail.gmail.com>
	<CAN4CZFNE6OLFzja=ysfhQzC=AORPBH2YdK2-am=cfGuk0A_s7g@mail.gmail.com>
	<CAOYmi+nXPkwam0RnF8ZChNnjeiTyPNa=grOcKZW3pzB2DUfY4Q@mail.gmail.com>
	<CAER375PjJcCWCSyNZVm0GXR6UUiEcrhUgycPf3fi-=sbwuCE1w@mail.gmail.com>
	<CAN4CZFN2T+ORwYnP=_uyAf_CkFBP5ecbphePCYQmwpwSZ1WRRw@mail.gmail.com>
	<CAER375OZojMNP+_Gs4PeatbmbkfOfJ=fxJJ0U15HChnQJfLuUA@mail.gmail.com>

Hello!

> Done. I have modified the condition check so as it will not impact users
> having rolvaliduntil to NULL.

Thanks! After one more look at this, shouldn't we refresh the cache if
AuthCheckNeeded, regardless of the valid until timestamp value? (for
example by moving the >0 condition to the inner if)

Consider the following scenario:

1. user logs in, without a valid until date set
2. valid until is set to something
3. existing session started in 1 will never be terminated


postgres.c:5368 - I missed this in my previos review, the error
message should start with a lowercase character.


> This patch introduces a mechanism to address the security issue of stale,
> authorized connections persisting beyond their validity period. .

postgres.c:5326 - if the user was dropped, but the connection is still
active, the patch silently ignores it. That matches the current
behavior of postgres, but is that the expected behavior in the context
of this patch?






view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Periodic authorization expiration checks using GoAway message
  In-Reply-To: <CAN4CZFNPNm6XWa8QtoYuGatARMddSUDHReW6o8Y5k4kTHm4sDQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox