Return the original authenticated user name for the current session.
SESSION_USER()## Overview Returns the user name that authenticated the current session, regardless of any role changes or impersonation performed during the session. Use SESSION_USER when you need a stable login identity for auditing, correlation, or policies that must survive SET ROLE. CURRENT_USER returns the effective role (which may change mid-session). SESSION_USER never changes once the session is established. ## Session context - The value is fixed at session establishment. - SET ROLE and equivalent impersonation commands do not change SESSION_USER. - Takes no arguments; both `SESSION_USER` and `SESSION_USER()` are accepted. - Never returns NULL in a properly authenticated session. ## Behavior - Always returns a non-NULL string. - Deterministic for the duration of the session. - Side effect free. ## Compatibility - Matches the SQL-standard SESSION_USER and the PG-compat function of the same name.
-- Read the immutable session identity
SELECT SESSION_USER();-- Contrast with CURRENT_USER to detect role switches
SELECT SESSION_USER() AS logged_in, CURRENT_USER() AS effective;-- Audit original login in a security log
INSERT INTO ops.audit.security_events (event_id, session_user, effective_user, event_at)
VALUES (UUID(), SESSION_USER(), CURRENT_USER(), CURRENT_TIMESTAMP);-- Block a query when effective role differs from login
SELECT SESSION_USER()
WHERE SESSION_USER() = CURRENT_USER(); -- returns zero rows if a role is assumed