Sessions provide you with a way to store information about the current
site visitor across requests. It's the foundation for an
authentication system, but does not actually provide.
What you would need to do is store within the session that the user is
logged in. In most cases it would work something like this.
User goes to site.
User fills in and submits authentication information.
You site validates the information.
If valid, you'd store in the session the id that for that user.
(session['user_id'] = id)
For future requests, you'd check and see if that id is stored in the
session to validate the user is logged in. (if session.has_key
('user_id')
gaeutilities sessions do expire, and this is customizable on
initialization. gaeutilities also offers the ability for you to not
set an expiration on the cookie, meaning it will be cleared out when
the user closes their browser.
The session process, simplified, works like this.
User visits site.
Session is initialized
Session checks to see if there is a cookie in the browser with a
session token
If there is not one, it creates a new session object locally,
generates a token, and stores it in the local session object and as a
cookie in the browser.
If there is a session token cookie, it checks the local database to
see if there is a session with that token.
If there is not a session for that token, it creates a new session
object locally, generates a token, and stores it in the local session
object and as a cookie in the browser.
If there is a session with that token, it then checks the session
token to determine if it needs to be regenerated due to expiration. If
this is the case, then it creates a new token and stores it in the
local object as well as writing out a new cookie. This is not a new
session, just a new token to access the session.
If the token is found, session.last_activity is also checked to see if
the session itself has expired. The length a session is valid for is
also customizable. If the session has expired, then a new session is
created per what is described above.
I hope this helps.
On Jan 28, 9:51 am, solidus <[email protected]> wrote:
> I tried looking online on how to define a descriptor and it looks
> fairly straightforward, but I don't see how to incorporate it with the
> @ syntax that google's @requier_login uses. Can you point me in the
> right direction or show me a a way to do this?
>
> Thanks again!
>
> On Jan 28, 9:09 am, Blixt <[email protected]> wrote:
>
> > Oh and regarding your second question:
> > This behavior can be implied to the user's browser by not sending an
> > expiry header for the cookie that holds the session id. I don't know
> > if gaeutilities let's you specify this, but I would assume it does.
>
> > If you want to truly enforce it on the server side, you can add a
> > timestamp to your sessions in the datastore and not let the user
> > continue using a session if the session hasn't been requested for x
> > amount of time. The timestamp would be updated every time the session
> > is requested so that the session only expires if the user stops using
> > the page for a while (which would imply that the user has left the
> > page.)
>
> > On Jan 28, 3:02 pm, Blixt <[email protected]> wrote:
>
> > > If you're familiar with Python:
> > > If you've got separate request handlers for the parts of the site that
> > > require login and the parts that don't, you can make a function
> > > descriptor that checks if the user is logged in before calling the
> > > actual function. If the user is not logged in, it redirects to a login
> > > page. Then you can use this descriptor on the get / post methods.
>
> > > Google provides this functionality with their @require_login
> > > descriptor that redirects to the Google Accounts login page if the
> > > user is not logged in, but this doesn't work when rolling your own
> > > authentication system, obviously.
>
> > > If you're not familiar with Python:
> > > The simplest way is probably to just make a function you can call that
> > > returns True if the user is logged in. If the user is not logged in,
> > > it redirects the user to your login page, then returns False. In your
> > > actual get / post method you check whether the result of this function
> > > is False, and if so, you leave the method:
>
> > > def logged_in(request):
> > > if [user is logged in]:
> > > return True
> > > request.redirect('/login')
> > > return False
>
> > > class UserSettings(webapp.RequestHandler):
> > > def get(self):
> > > if not logged_in(self): return
> > > # show page
>
> > > On Jan 28, 3:13 am, solidus <[email protected]> wrote:
>
> > > > Hi all,
>
> > > > I'm new to appengine and somewhat new to web development. My question
> > > > is regarding proper ways to use sessions.
>
> > > > I'm currently messing around using the gaeutilities sessions module. I
> > > > have a basic login page and some content. The question is what is the
> > > > standard/best practice way to ensure that users aren't accessing parts
> > > > of your site (via direct URL) without first going through the login
> > > > screen?
>
> > > > Also, how does one go about deleting or clearing session data once the
> > > > user leaves the site without logging out first?
>
> > > > Thanks!- Hide quoted text -
>
> > - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
