I'm new to PostgreSQL, working on it from the point of view of Cyber Security assessment. In regards to the here is my questions:
From the security standpoint we have to assure that database invalidates session identifiers upon user logout or other session termination (timeout counts too).
Does PostgreSQL perform this type of actions? If so, where are those Session IDs are stored, so I can verify it?
Postgres is based on processes - for any session is created new process when user is logged and this process is destroyed when user does logout. Almost all data are in process memory only, but shared data related to sessions are stored in shared memory - in array of PGPROC structures. Postgres invalidates these data immediately when process is destroyed. Search PGPROC in our code. Look to postmaster.c, where these operations are described.
What I know, there are not any other session data - so when process is destroyed, then all is destroyed by o.s.
Can be totally different if you use some connection pooler like pgpool or pgbouncer - these applications can reuse Postgres server sessions for more user sessions.