Re: On login trigger: take three

> On 30 Sep 2021, at 04:15, Greg Nancarrow <gregn4422(at)gmail(dot)com> wrote:
>
> On Wed, Sep 29, 2021 at 10:14 PM Teodor Sigaev <teodor(at)sigaev(dot)ru> wrote:
>>
>> Nice feature, but, sorry, I see some design problem in suggested feature. AFAIK,
>> there is two use cases for this feature:
>> 1 A permission / prohibition to login some users
>> 2 Just a logging of facts of user's login
>>
>> Suggested patch proposes prohibition of login only by failing of login trigger
>> and it has at least two issues:
>> 1 In case of prohibition to login, there is no clean way to store information
>> about unsuccessful login. Ok, it could be solved by dblink module but it seems
>> to scary.
>
> It's an area that could be improved, but the patch is more intended to
> allow additional actions on successful login, as described by the
> following (taken from the doc updates in the patch):
>
> + <para>
> + The event trigger on the <literal>login</literal> event can be
> + useful for logging user logins, for verifying the connection and
> + assigning roles according to current circumstances, or for some
> session data
> + initialization.
> + </para>

Running user code with potential side effects on unsuccessful logins also open
up the risk for (D)DoS attacks.

--
Daniel Gustafsson https://vmware.com/