Hi there! "- a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user)****
- to avoid that I need to verify that the user ID matches the session ID assigned when he logged in."**** Can you describe how your code works that makes this an issue? If you're using the Users API, it shouldn't be a problem, but I suspect you are doing something where a native client call is directly translated to a low level datastore API call. -- Ikai Lan Developer Programs Engineer, Google App Engine plus.ikailan.com | twitter.com/ikai On Wed, Jan 11, 2012 at 7:18 AM, meiaestro <jmalbre...@gmx.de> wrote: > Hi all!**** > > ** ** > > I was thinking about making my RPC calls to the server (datastore > commands) more secure against java script or data stream modifications on > client side (when user is already signed in and validated). **** > > ** ** > > Problem:**** > > - right now all datastore requests are transmitted 1:1 from client to > server via RPC calls.**** > > - a logged in user could manipulate the RPC call (he could for > example exchange his userID by the ID of someone else and access the data > of this user)**** > > - to avoid that I need to verify that the user ID matches the session ID > assigned when he logged in.**** > > - Idea: I want to proxy every request through a single method on server > side and only if the user is validated against his session the specified > server method is called.**** > > ** ** > > Not a clue how to implement:**** > > - specify an Interface with all datastore methods available.**** > > - sending a "method call" (which is defined by the interface) via RPC call > to the server**** > > - within the proxy method on server side verify the user and execute the > "method call" > > - if applicable return the return value asynchonously > > > Is this a common approach? If not, what is a common approach? And also: > How can one avoid thievery of the session ID? > > > I would appreciate any hint. > > Thanks & greetings. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-appengine-java/-/V2AK2IBABxkJ. > To post to this group, send email to > google-appengine-java@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine-java+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
