Does beaker store all session information as cookies? I'm just trying to figure out the value in the signed cookie approach, because if I can figure out a way for it to make sense I would consider moving gaeutilities to that approach.
gaeutilities stores only a temporary session token in the browser cookie store, all information is stored server side for security. Since I only have the one cookie, which is basically an id to find the session server side with, I don't see a way for this approach to keep a session from being hijacked. As in the end the 'hash-value' string could be hijacked and reused by another browser. The performance issue with gaeutililites, and why Jeremy is looking for options, is the approach I've taken to securing the session id requires frequent put() operations. I've seen some other blogs who've mentioned this is a performance bottleneck for gae, but I haven't been able to come up with another approach that will not sacrifice reliability or performance. Basically I rotate the session id in the cookie every 5 seconds (this length is configurable). I store the current plus previous 2 tokens in a ListProperty in order to manage sites using AJAX type functionality. A session token is generally good for 15 seconds with this approach. Longer if there are not interim requests generating new tokens, as a new token is only generated when the 5 second TTL is hit. So you come back 2 minutes later, and the session token is still valid for that request, just regenerated on the request. As you can imagine, this is a lot of put operations for each session. I deemed just using memcache to not be a viable alternative because it's documented that it's a volatile storage, it can be cleared at any time. I do use memcache for speeding up reads to the session data, limiting read access to the datastore. I'm definitely open to suggestions for a method to do this without all the puts. The key being the reliability and security are more important than performance. In the end it's cheaper to pay for the CPU usage than the risks by allowing users to have their sessions easily hijacked, depending on the application, or having sessions randomly lost due to the storage medium not being permanent enough. On Jan 21, 6:27 pm, jeremy <[email protected]> wrote: > thanks for the suggestions. > > does beaker really work out of the box with gae? > > On Jan 21, 1:06 am, Ian Bicking <[email protected]> wrote: > > > On Tue, Jan 20, 2009 at 10:40 PM, jeremy <[email protected]> wrote: > > > can anyone recommend / mention a session manager other than the one in > > > gaeutilities? > > > Beaker works with GAE:http://beaker.groovie.org/ > > > -- > > Ian Bicking | http://blog.ianbicking.org --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
