As a suggestion, the app-engine-patch project is a very nice product. I'm personally using it, on substituting gaeutiltiies sessions and cache, with very good results on my primary project. Being able to take advantage of Django's backends had me authenticating accoutns through Google (OpenID) and Yahoo(Oauth with their persistent id field) literally in minutes. And I see nothing stopping me from adding Myspace and Facebook when I'm ready.
On Jan 30, 10:05 am, varun <[email protected]> wrote: > Real informative post for a beginner like me. The post title suits me > completely. I need to make a basic user management system for my app. > I have been googling the possibility of using django admin interface > with GAE but the django-appengine-helper and django-patch look hackish > to me. I dont really want them to be. At the same time I wanted to > find something readymade (being lazy, that I am). Both the session > handlers above, gaeutils and gmemsess provide me with a good start. > Is there any simple user registration or login framework that I can > use. Ofcourse when I am here, I dont want my users to have a google > acocunt. > > Thanks again for you post and work. > > Cheers > Varun > > On Jan 25, 6:35 am, MajorProgamming <[email protected]> wrote: > > > Hmm. So basically this would sum it up:? > > > 1. If I use SSL, I can rely on the cookies? > > > 2. If I don't use SSL and use another provider for the password check > > (like OpenID, etc.), I need to take your advice on Sessions expiring? > > > Am I correct? > > > And, what are the real chances of a hacker intercepting traffic? > > > On Jan 24, 6:41 pm, Greg <[email protected]> wrote: > > > > On Jan 24, 10:10 am, Andrew Badera <[email protected]> wrote: > > > > > Typically, or at least in my experience, salting is > > > > md5/sha1/whatever(password+salt) rather than md5(md5(password)+salt) ... > > > > If you just hash the password plus the salt, you need to store the > > > password on the server. This is bad, both because servers are > > > vulnerable and also because at some stage you have to transmit the > > > password in clear. So you transmit (and store) the hash of the > > > password, which means you need to hash it twice when you login. > > > > > But can't the attackers simply spoof a request with that session id in > > > > the cookies? > > > > Yes, but only while the session is valid. At the very least make your > > > sessions expire frequently, and make logging out enticing for users. > > > And you could also make their IP address part of the salt, and have > > > the server check it. This limits attacks to your internal network. > > > > Cheers! > > > Greg.- Hide quoted text - > > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
