On 22 September 2011 11:26, [email protected] <[email protected]> wrote: > The security is the rotating session token. > It works basically like this. A session token is valid for x seconds, and > then a backlog of x tokens are considered valid. The reason that multiple > tokens are valid is to support sites using ajax requests which may have > request/response out of sequence with each other. > Avoiding taking multiple requests per page view into account, and just doing > a single page/response scenario here's how it happens. This model also > assumes that each page view is generating a new token, that's not required > as you can make the token expiration as long as you want for your > application. > You request a page, which generates a session. Session token is set in a > cookie. > Next page request, the token is valid, but expired. A new cookie is set with > a new session token. > Next page request, same thing. > Now, if you lock your user profile to only accepting one session, then > hijacking will create a scenario where either the hijacker or user loses > their session. So.. > User creates session, get's token. > Hijacker sniffs token, connects using it, and get's another token. > User makes a request, generating a new token. > Hijacker connects still using the token they had, which generates a new one. > ... > Eventually either the user or hijacker has a token that's expired so a new > session needs to be created. > If it's the user, when they log in they invalidate the session the hijacker > is using and reclaim their access. > Now, it's not fool proof. If the hijacker is using a complicated enough > system they can keep sniffing and resetting their cookies with the victims > tokens. They can at least have some access time on the users account. They > can also just sniff again to jump back on the session when they get kicked > off. There's no way to make it truely secure, just more difficult.
Ok, that makes sense. > The biggest problem with gaeutilities though is it's currently pretty much > unsupported. I've stopped using appengine and with having 2 kids now I don't > have time to dedicate to a project I'm not using. I learned python writing > gaeutilities, and have since figured out ways to improve the performance > - https://github.com/joerussbowman/gaeutilities/issues/2 Oh, totally understand. > I'm open to pull requests, or even to someone forking the project and > continuing it. I'd be happy to act as an advisor or anything required to > assist as long as the contributors can deal with my limited availability. If > anyone just wants to fork the entire project and carry it on as long as I'm > comfortable with the approaches taken I'd even point everyone to it. The > only qualification I have is that security remain a primary motivator of > design. Of course if it's a fork of my code and ideas I'd also like to > continue to receive credit. > Well, if I begin to run into issues with it that I need to patch myself, I'll yell out, maybe get involved. Thanks for the awesome library though, it really is smooth to use. Great stuff. -- Emlyn http://my.syyn.cc - Synchonise Google+, Facebook, WordPress and Google Buzz posts, comments and all. http://point7.wordpress.com - My blog Find me on Facebook and Buzz -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
