"What I see as a concern with your approach is what happens when the
server wide variable R gets out of sync with someone's version that
was crypted based off of it? The original reason the 3 valid token set
"
that's why i mention that "you can store the last 3 values of R as is
done now for each sessions sid" - so all 3 would be tried as is done
now with the sid list on each session entity. you could also count how
often R has been randomized and hand this iteration index to the
client as part of the token.
i'm not sure about going primarily with memcache - isn't memcache
designed only to be a caching layer? memcache isn't volatile in the
sense of being either up or down. rather, it throws out stored data
"randomly" as far as the developer is concerned as load increases.
On Jan 23, 1:37 am, "bowman.jos...@gmail.com"
<bowman.jos...@gmail.com> wrote:
> By the way, I really am not concerned with analysis attacks. It's
> sniffing/spoofing attacks that are most common for session hijacking.
> I simply sniff the network and find out what the name and value of the
> cookie are, and what user agent you are sending. I then duplicate
> those 2 things and if I'm behind the same NAT as you, I have your
> session loaded up in my browser. If I'm any good a social hacking, I
> set my page to auto refresh and then distract you by talking to you
> until I have your full session by rotating the session tokens past the
> point of where the one in your browser is invalid, and more than
> likely the application will make log back in, without logging me out.
> This is where you may want to consider tieing the session directly to
> a user account, so a user can only be logged in once at any time, and
> logging invalidates the current log in if it exists, ie:
> active_session field on your user model.
>
> Just some late night thoughts when I really should be asleep.
>
> On Jan 22, 11:12 pm, jeremy <jeremy.a...@gmail.com> wrote:
>
> > Hmm, I'm not sure what "session timing" is.
>
> > I have an idea to reduce writes. Instead of updating the sid of every
> > session individually, give each session a random value between 0 and
> > C, and have one application-wide value R randomized every
> > session_token_ttl seconds to an integer between 0 and C, then hand the
> > client the value of this as a token:
>
> > t = (session_id+R)%C
>
> > then when a client hands the server a token, you can compute
> > session_id = (t-R)%C
>
> > (you can store the last 3 values of R as is done now for each sessions
> > sid)
>
> > I'm pretty sure there's no analysis attack that would allow a client
> > to figure out either R at any moment or their own (constant)
> > session_id. But, i could be wrong about that :\ ... The advantage
> > would be you're only updating a single datastore entity every
> > session_token_ttl.
>
> > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com"
>
> > <bowman.jos...@gmail.com> wrote:
> > > I've gone with a different approach that currently achieves similar
> > > results, that's now available in the trunk. A new variable,
> > > last_activity_update has been added. It's the amount of seconds that
> > > needs to pass before that field needs to be updated by doing a put().
> > > It defaults to 60 seconds, which of course is longer than the duration
> > > before a put is required to update the session token with the default
> > > settings.
>
> > > This will allow developers who wish to lengthen their
> > > session_token_ttl to a larger interval to still get their
> > > last_activity update in, useful for session timing. It too is
> > > customizable so for developers who have no use for this field can set
> > > it to a large enough number to be irrelevant.
>
> > > I'm trying to flush out an idea I have to limit the amount of writes
> > > for the token even further, but am still researching it. If I figure
> > > it out I will get it in and do another release. Otherwise I will
> > > release what's there now. Before any release I want to go over the
> > > refactoring you did as it does look more efficient than what I
> > > currently have, thanks.
>
> > > On Jan 22, 6:31 pm, jeremy <jeremy.a...@gmail.com> wrote:
>
> > > > Ok. I actually modified Session.__init__ locally to do the
> > > > last_activity on sid rotation (i also refactored it a bit to reduce
> > > > repeated code blocks). Regarding google.com's SID cookie - i'm not
> > > > seeing the sid update within minutes. I'm not sure why yours rotates
> > > > so quickly, but it's something entirely configurable in your code so
> > > > it shouldn't matter. Anyway, here's my version of Session.__init__ :
>
> > > > def __init__(self, cookie_path=DEFAULT_COOKIE_PATH,
> > > > cookie_name=COOKIE_NAME,
> > > > session_expire_time=SESSION_EXPIRE_TIME,
> > > > clean_check_percent=CLEAN_CHECK_PERCENT,
> > > > integrate_flash=INTEGRATE_FLASH, check_ip=CHECK_IP,
> > > > check_user_agent=CHECK_USER_AGENT,
> > > > set_cookie_expires=SET_COOKIE_EXPIRES,
> > > > session_token_ttl=SESSION_TOKEN_TTL):
> > > > """
> > > > Initializer
>
> > > > Args:
> > > > cookie_name: The name for the session cookie stored in the
> > > > browser.
> > > > session_expire_time: The amount of time between requests
> > > > before the
> > > > session expires.
> > > > clean_check_percent: The percentage of requests the will
> > > > fire off a
> > > > cleaning routine that deletes stale session data.
> > > > integrate_flash: If appengine-utilities flash utility should
> > > > be
> > > > integrated into the session object.
> > > > check_ip: If browser IP should be used for session
> > > > validation
> > > > check_user_agent: If the browser user agent should be used
> > > > for
> > > > sessoin validation.
> > > > set_cookie_expires: True adds an expires field to the cookie
> > > > so
> > > > it saves even if the browser is closed.
> > > > session_token_ttl: Number of sessions a session token is
> > > > valid
> > > > for before it should be regenerated.
> > > > """
>
> > > > self.cookie_path = cookie_path
> > > > self.cookie_name = cookie_name
> > > > self.session_expire_time = session_expire_time
> > > > self.clean_check_percent = clean_check_percent
> > > > self.integrate_flash = integrate_flash
> > > > self.check_user_agent = check_user_agent
> > > > self.check_ip = check_ip
> > > > self.set_cookie_expires = set_cookie_expires
> > > > self.session_token_ttl = session_token_ttl
>
> > > > # make sure the page is not cached in the browser
> > > > self.no_cache_headers()
> > > > """
> > > > Check the cookie and, if necessary, create a new one.
> > > > """
> > > > self.cache = {}
> > > > self.sid = None
> > > > string_cookie = os.environ.get('HTTP_COOKIE', '')
> > > > self.cookie = Cookie.SimpleCookie()
> > > > self.output_cookie = Cookie.SimpleCookie()
> > > > self.cookie.load(string_cookie)
>
> > > > dirty = False
>
> > > > # check for existing cookie
> > > > if self.cookie.get(cookie_name):
> > > > self.sid = self.cookie[cookie_name].value
> > > > self.session = self._get_session() # will return None if
> > > > sid expired
> > > > else:
> > > > self.sid = self.new_sid()
> > > > self.session = None
>
> > > > if self.session is None:
> > > > # start a new session if there is None.
> > > > self.sid = self.new_sid()
> > > > self.session = _AppEngineUtilities_Session()
> > > > if 'HTTP_USER_AGENT' in os.environ:
> > > > self.session.ua = os.environ['HTTP_USER_AGENT']
> > > > else:
> > > > self.session.ua = None
> > > > if 'REMOTE_ADDR' in os.environ:
> > > > self.session.ip = os.environ['REMOTE_ADDR']
> > > > else:
> > > > self.session.ip = None
> > > > self.session.sid = [self.sid]
> > > > dirty = True
> > > > else:
> > > > # check the age of the token to determine if a new one
> > > > # is required
> > > > duration = datetime.timedelta
> > > > (seconds=self.session_token_ttl)
> > > > session_age_limit = datetime.datetime.now() - duration
> > > > if self.session.last_activity < session_age_limit:
> > > > self.sid = self.new_sid()
> > > > if len(self.session.sid) > 2:
> > > > self.session.sid.remove(self.session.sid[0])
> > > > self.session.sid.append(self.sid)
> > > > dirty = True
> > > > else:
> > > > self.sid = self.session.sid[-1]
>
> > > > self.output_cookie[cookie_name] = self.sid
> > > > self.output_cookie[cookie_name]['path'] = cookie_path
> > > > if set_cookie_expires:
> > > > self.output_cookie[cookie_name]['expires'] =
> > > > self.session_expire_time
>
> > > > self.cache['sid'] = pickle.dumps(self.sid)
>
> > > > if dirty:
> > > > self.session.put()
>
> > > > #self.cookie.output()
> > > > print self.output_cookie.output()
>
> > > > # fire up a Flash object if integration is enabled
> > > > if self.integrate_flash:
> > > > import flash
> > > > self.flash = flash.Flash(cookie=self.cookie)
>
> > > > # randomly delete old stale sessions in the datastore (see
> > > > # CLEAN_CHECK_PERCENT variable)
> > > > if random.randint(1, 100) < CLEAN_CHECK_PERCENT:
> > > > self._clean_old_sessions()
>
> > > > On Jan 22, 4:38 pm, "bowman.jos...@gmail.com"
>
> > > > <bowman.jos...@gmail.com> wrote:
> > > > > I think it's a case of it's been that way for so long I haven't
> > > > > realized I need to change it. The put on every write to update the
> > > > > last activity, I mean. I'll look into modifying it so that it only
> > > > > writes when the session token changes.
>
> > > > > As for google though, every time I load up my igoogle page, I have
> > > > > cookie called SID for thewww.google.comthatchangeseachpageview.
>
> ...
>
> read more »
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
