The session regeneration is part of a put() that happens every request to update the timestamp on the session anyhow. The short timespan is for security to avoid man in the middle attacks. With the default 5 second setting for a token (with current + previous session available as an acceptable id), an attacker would have 10 seconds to sniff, and duplicate the session token to attempt to hijack a session.
Regeneration only happens on request, and is based off of a server side timestamp. Clientside update is server driven. .7.1 which includes this functionality was just released. If you'd like to just see the source, here's a link to that. http://code.google.com/p/appengine-utitlies/source/browse/tags/.7.1/appengine_utilities/sessions.py?r=118 On Aug 27, 6:24 pm, javaDinosaur <[EMAIL PROTECTED]> wrote: > Is such a high frequency regeneration required for the type of apps > hosted on AppEngine? An ASPX session cookie is good for 10 minutes > atleast I think. > > Does the regeneration cause update churn in the Datastore session > store index that I assume backs up your sessions? > > Does the regeneration only happen during a request? > > The clientside update is driven by the server reply I assume? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
