I built my own authentication system on top of gmemsess, a memchache- backed session object. It's not entirely easy - there are a lot of things you have to get right to make it is secure. Unfortunately my code isn't modular enough to publish, but here are a few pointers...
- Store a hash of the password on appengine. This means admin cannot steal passwords, as well as allowing for safe transport of the password. - Javascript on your login form should first hash the password, then hash the result with a salt - say the session id. The extra salted hash prevents a sniffer from simply sending the hash to login, and also guards against using rainbow tables to discover the password. Make sure you destroy the field containing the original password, so it isn't sent in clear along with the hash! - On appengine, hash the stored password hash with the salt and compare with the sent hash - they should be the same. - I usually disable the account if I get three wrong passwords, to prevent dictionary attacks. This requires some admin work to handle users who've been locked out, but means you don't need to implement captchas. - Authentication is only the first step - you need to keep security at the top of your agenda throughout the whole application. For instance, if you have a url like fox.delete?id=123 that deletes a user's fox, always check that 123 actually belongs to this user. Otherwise users could delete other user's foxes by retyping the url. gmemsess is at http://code.google.com/p/gmemsess/ Cheers! Greg. On Nov 6, 4:22 pm, "Calvin Spealman" <[EMAIL PROTECTED]> wrote: > I think being able to present a branded registration page is one of my > biggest appengine wishes. > > On Nov 5, 2008 10:59 AM, "CP" <[EMAIL PROTECTED]> wrote: > > I'm about to start on an App Engine based project and one of my > requirements is that users can create an account, log in and store > persistent information. > > I've been reading around the User API and whilst it looks very slick, > I don't *think* I want to make users of my site/application sign up > for a Google account. > > This means I need to write one from scratch or find someone who has > done it already in a generic fashion. I've never done anything like > that before so it's a little daunting but I'm sure it'll be fun. > > Has anyone done so and can share before I embark on this myself? > Perhaps even just some advice or tips specific to a GAE based > implementation. > > Cheers. > > CP --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
