Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Temporary expirable sessions like we have today could be one way. Generate a temporary session (DB creds) for an authenticated user.


Maybe in the browser context it would reduce the security risk.

However that db backend is still listening for logins, it does not know who the client is.

What happens today imho is that you have access to pieces of the data tables not the whole database at once to run queries at will.

When you fill out an html form or click a button that runs business logic code which might run sql queries based on a token/id you passed.

That token/id does not have access to the whole database.

Temporary database wide sessions are still a risk in the browser context.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: