Real informative post for a beginner like me. The post title suits me completely. I need to make a basic user management system for my app. I have been googling the possibility of using django admin interface with GAE but the django-appengine-helper and django-patch look hackish to me. I dont really want them to be. At the same time I wanted to find something readymade (being lazy, that I am). Both the session handlers above, gaeutils and gmemsess provide me with a good start. Is there any simple user registration or login framework that I can use. Ofcourse when I am here, I dont want my users to have a google acocunt.
Thanks again for you post and work. Cheers Varun On Jan 25, 6:35 am, MajorProgamming <[email protected]> wrote: > Hmm. So basically this would sum it up:? > > 1. If I use SSL, I can rely on the cookies? > > 2. If I don't use SSL and use another provider for the password check > (like OpenID, etc.), I need to take your advice on Sessions expiring? > > Am I correct? > > And, what are the real chances of a hacker intercepting traffic? > > On Jan 24, 6:41 pm, Greg <[email protected]> wrote: > > > > > On Jan 24, 10:10 am, Andrew Badera <[email protected]> wrote: > > > > Typically, or at least in my experience, salting is > > > md5/sha1/whatever(password+salt) rather than md5(md5(password)+salt) ... > > > If you just hash the password plus the salt, you need to store the > > password on the server. This is bad, both because servers are > > vulnerable and also because at some stage you have to transmit the > > password in clear. So you transmit (and store) the hash of the > > password, which means you need to hash it twice when you login. > > > > But can't the attackers simply spoof a request with that session id in > > > the cookies? > > > Yes, but only while the session is valid. At the very least make your > > sessions expire frequently, and make logging out enticing for users. > > And you could also make their IP address part of the salt, and have > > the server check it. This limits attacks to your internal network. > > > Cheers! > > Greg.- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
