> If CL sends the MD5 of the username rather than the plaintext username,
> only CL and PG will know what the username is. PG will know it by
> comparing it with the MD5 of every username in pg_shadow. So even if the
> wire is being sniffed the unhashed username can be used in the password's
> encryption along with the salt sent by PG. This method will take longer
> for a user to log in, but the login process is only per session, not per
> SQL call.
But don't forget that some web application need fast log. And if is not
possible use persisten connection is necessary log for each access to web
page. (...etc.).
The log speed is keep tracked feature too.
Karel