Skip to content

Update "Persist Security Info" parameter description#426

Open
vonzshik wants to merge 2 commits intomainfrom
persist-security-update-description
Open

Update "Persist Security Info" parameter description#426
vonzshik wants to merge 2 commits intomainfrom
persist-security-update-description

Conversation

@vonzshik
Copy link
Contributor

@vonzshik vonzshik commented Oct 29, 2025

The current description is quite misleading

roji
roji reviewed Oct 29, 2025
View reviewed changes
conceptual/Npgsql/connection-string-parameters.md Outdated
SSL Negotiation | Controls how SSL encryption is negotiated with the server, if SSL is used. Introduced in 9.0. [See docs for possible values and more info](security.md). | PGSSLNEGOTIATION
Channel Binding | Control whether channel binding is used when authenticating with SASL. Introduced in 8.0. | Prefer
Persist Security Info | Gets or sets a Boolean value that indicates if security-sensitive information, such as the password, is not returned as part of the connection if the connection is open or has ever been in an open state. | false
Persist Security Info | When enabled, security-sensitive information, such as the password, will be included as part of connection string for tracing and logging. | false
Copy link
Member

@roji roji Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we actually log the connection string (with the password) in logging? If so I think that's pretty questionable even when Persist Security Info is enabled... I'd prefer to review and remove this behavior...!

In my mind, this parameter was (at least originally) purely about whether reading NpgsqlConnection.ConnectionString returns the full connection string including the password (once the connection has been opened) - I don't think that it was about logging/tracing originally.

Final nit: is there anything other than the password that's actually covered here? If not, we can remove "such as the password" etc.

Copy link
Member

@Brar Brar Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My interpretation of this feature is that it comes from the OleDb C++ ages where you could really connect to a database and then (given pooling is disabled) zero out the password string after establishing a connection and then the password would really be gone from memory(-dumps).
It has never worked this way in .NET (at least for Npgsql) and reflection and the inability to zero out strings in a garbage collection environment pretty much defeat the purpose.
See the discussion about SecureString (which could work in theory but only if you read a string into unmanaged memory char by char because otherwise the string would always end up in the managed heap).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Brar Brar Brar left review comments

@roji roji roji left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vonzshik @Brar @roji