Great feedback and advice Greg - thank you. I made some progress last night and will take your suggestions on board.
My approach so far is to let the user input a desired username, password along with an email address. I create an unguessable UUID and store everything in the database. I also send an email to the address entered with a URL containing the UUID that enables that account. Once it's enabled, a login script lets you log in. Not sure what's next - set a cookie to indicate they're logged in or carry that state around in the URL. Maybe you need both - a fragment of a string as part of the URL that is related somehow to what's stored in the cookie.??? In any event, I need to add in your suggestions for storing the passwords etc. I must say, this is kind of application creation (and Python) is new to me but I'm finding it immensely enjoying. Programming is fun again :) When I come up with something that's worth looking at, I'll post here and perhaps we can all pick it apart. Cheers. CP > - Store a hash of the password on appengine. This means admin cannot > steal passwords, as well as allowing for safe transport of the > password. > - Javascript on your login form should first hash the password, then > hash the result with a salt - say the session id. The extra salted > hash prevents a sniffer from simply sending the hash to login, and > also guards against using rainbow tables to discover the password. > Make sure you destroy the field containing the original password, so > it isn't sent in clear along with the hash! > - On appengine, hash the stored password hash with the salt and > compare with the sent hash - they should be the same. > - I usually disable the account if I get three wrong passwords, to > prevent dictionary attacks. This requires some admin work to handle > users who've been locked out, but means you don't need to implement > captchas. > - Authentication is only the first step - you need to keep security at > the top of your agenda throughout the whole application. For instance, > if you have a url like fox.delete?id=123 that deletes a user's fox, > always check that 123 actually belongs to this user. Otherwise users > could delete other user's foxes by retyping the url. > > gmemsess is athttp://code.google.com/p/gmemsess/ > > Cheers! > Greg. > > On Nov 6, 4:22 pm, "Calvin Spealman" <[EMAIL PROTECTED]> wrote: > > > I think being able to present a branded registration page is one of my > > biggest appengine wishes. > > > On Nov 5, 2008 10:59 AM, "CP" <[EMAIL PROTECTED]> wrote: > > > I'm about to start on an App Engine based project and one of my > > requirements is that users can create an account, log in and store > > persistent information. > > > I've been reading around the User API and whilst it looks very slick, > > I don't *think* I want to make users of my site/application sign up > > for a Google account. > > > This means I need to write one from scratch or find someone who has > > done it already in a generic fashion. I've never done anything like > > that before so it's a little daunting but I'm sure it'll be fun. > > > Has anyone done so and can share before I embark on this myself? > > Perhaps even just some advice or tips specific to a GAE based > > implementation. > > > Cheers. > > > CP --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
