Http digest auth is another option. But without ssl, I can't see any practical reason to elevate session security level.
On Jan 24, 1:37 pm, "[email protected]" <[email protected]> wrote: > The problems I see what that approach is: > > - 1 time token can be sniffed. We have limited ssl support with > appengine which is why the session token client side needs to change. > - Relying on gears, flash, or even javascript creates client side > dependencies. gaeutilities already has a dependency on cookies because > it's low enough level trying to create a way to append the session > token to all requests for all applications wasn't really possible. > Though I do have plans to expose the session token via some method to > provide an opportunity for people to do that. Adding more dependencies > is something I want to avoid. > > On Jan 24, 12:57 pm, yejun <[email protected]> wrote: > > > Maybe store a secure token locally on gears or flash, then send one > > time token by javascript. But the initial token still need to be > > delivered by ssl. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
