Yea but R would be rotated every 15 seconds which would decrease the window in which a session is really valid by a large margin.That's why the session token needs to be tied to every account.
On Jan 23, 1:04 am, jeremy <jeremy.a...@gmail.com> wrote: > "What I see as a concern with your approach is what happens when the > server wide variable R gets out of sync with someone's version that > was crypted based off of it? The original reason the 3 valid token set > " > > that's why i mention that "you can store the last 3 values of R as is > done now for each sessions sid" - so all 3 would be tried as is done > now with the sid list on each session entity. you could also count how > often R has been randomized and hand this iteration index to the > client as part of the token. > > i'm not sure about going primarily with memcache - isn't memcache > designed only to be a caching layer? memcache isn't volatile in the > sense of being either up or down. rather, it throws out stored data > "randomly" as far as the developer is concerned as load increases. > > On Jan 23, 1:37 am, "bowman.jos...@gmail.com" > > <bowman.jos...@gmail.com> wrote: > > By the way, I really am not concerned with analysis attacks. It's > > sniffing/spoofing attacks that are most common for session hijacking. > > I simply sniff the network and find out what the name and value of the > > cookie are, and what user agent you are sending. I then duplicate > > those 2 things and if I'm behind the same NAT as you, I have your > > session loaded up in my browser. If I'm any good a social hacking, I > > set my page to auto refresh and then distract you by talking to you > > until I have your full session by rotating the session tokens past the > > point of where the one in your browser is invalid, and more than > > likely the application will make log back in, without logging me out. > > This is where you may want to consider tieing the session directly to > > a user account, so a user can only be logged in once at any time, and > > logging invalidates the current log in if it exists, ie: > > active_session field on your user model. > > > Just some late night thoughts when I really should be asleep. > > > On Jan 22, 11:12 pm, jeremy <jeremy.a...@gmail.com> wrote: > > > > Hmm, I'm not sure what "session timing" is. > > > > I have an idea to reduce writes. Instead of updating the sid of every > > > session individually, give each session a random value between 0 and > > > C, and have one application-wide value R randomized every > > > session_token_ttl seconds to an integer between 0 and C, then hand the > > > client the value of this as a token: > > > > t = (session_id+R)%C > > > > then when a client hands the server a token, you can compute > > > session_id = (t-R)%C > > > > (you can store the last 3 values of R as is done now for each sessions > > > sid) > > > > I'm pretty sure there's no analysis attack that would allow a client > > > to figure out either R at any moment or their own (constant) > > > session_id. But, i could be wrong about that :\ ... The advantage > > > would be you're only updating a single datastore entity every > > > session_token_ttl. > > > > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com" > > > > <bowman.jos...@gmail.com> wrote: > > > > I've gone with a different approach that currently achieves similar > > > > results, that's now available in the trunk. A new variable, > > > > last_activity_update has been added. It's the amount of seconds that > > > > needs to pass before that field needs to be updated by doing a put(). > > > > It defaults to 60 seconds, which of course is longer than the duration > > > > before a put is required to update the session token with the default > > > > settings. > > > > > This will allow developers who wish to lengthen their > > > > session_token_ttl to a larger interval to still get their > > > > last_activity update in, useful for session timing. It too is > > > > customizable so for developers who have no use for this field can set > > > > it to a large enough number to be irrelevant. > > > > > I'm trying to flush out an idea I have to limit the amount of writes > > > > for the token even further, but am still researching it. If I figure > > > > it out I will get it in and do another release. Otherwise I will > > > > release what's there now. Before any release I want to go over the > > > > refactoring you did as it does look more efficient than what I > > > > currently have, thanks. > > > > > On Jan 22, 6:31 pm, jeremy <jeremy.a...@gmail.com> wrote: > > > > > > Ok. I actually modified Session.__init__ locally to do the > > > > > last_activity on sid rotation (i also refactored it a bit to reduce > > > > > repeated code blocks). Regarding google.com's SID cookie - i'm not > > > > > seeing the sid update within minutes. I'm not sure why yours rotates > > > > > so quickly, but it's something entirely configurable in your code so > > > > > it shouldn't matter. Anyway, here's my version of Session.__init__ : > > > > > > def __init__(self, cookie_path=DEFAULT_COOKIE_PATH, > > > > > cookie_name=COOKIE_NAME, > > > > > session_expire_time=SESSION_EXPIRE_TIME, > > > > > clean_check_percent=CLEAN_CHECK_PERCENT, > > > > > integrate_flash=INTEGRATE_FLASH, check_ip=CHECK_IP, > > > > > check_user_agent=CHECK_USER_AGENT, > > > > > set_cookie_expires=SET_COOKIE_EXPIRES, > > > > > session_token_ttl=SESSION_TOKEN_TTL): > > > > > """ > > > > > Initializer > > > > > > Args: > > > > > cookie_name: The name for the session cookie stored in the > > > > > browser. > > > > > session_expire_time: The amount of time between requests > > > > > before the > > > > > session expires. > > > > > clean_check_percent: The percentage of requests the will > > > > > fire off a > > > > > cleaning routine that deletes stale session data. > > > > > integrate_flash: If appengine-utilities flash utility should > > > > > be > > > > > integrated into the session object. > > > > > check_ip: If browser IP should be used for session > > > > > validation > > > > > check_user_agent: If the browser user agent should be used > > > > > for > > > > > sessoin validation. > > > > > set_cookie_expires: True adds an expires field to the cookie > > > > > so > > > > > it saves even if the browser is closed. > > > > > session_token_ttl: Number of sessions a session token is > > > > > valid > > > > > for before it should be regenerated. > > > > > """ > > > > > > self.cookie_path = cookie_path > > > > > self.cookie_name = cookie_name > > > > > self.session_expire_time = session_expire_time > > > > > self.clean_check_percent = clean_check_percent > > > > > self.integrate_flash = integrate_flash > > > > > self.check_user_agent = check_user_agent > > > > > self.check_ip = check_ip > > > > > self.set_cookie_expires = set_cookie_expires > > > > > self.session_token_ttl = session_token_ttl > > > > > > # make sure the page is not cached in the browser > > > > > self.no_cache_headers() > > > > > """ > > > > > Check the cookie and, if necessary, create a new one. > > > > > """ > > > > > self.cache = {} > > > > > self.sid = None > > > > > string_cookie = os.environ.get('HTTP_COOKIE', '') > > > > > self.cookie = Cookie.SimpleCookie() > > > > > self.output_cookie = Cookie.SimpleCookie() > > > > > self.cookie.load(string_cookie) > > > > > > dirty = False > > > > > > # check for existing cookie > > > > > if self.cookie.get(cookie_name): > > > > > self.sid = self.cookie[cookie_name].value > > > > > self.session = self._get_session() # will return None if > > > > > sid expired > > > > > else: > > > > > self.sid = self.new_sid() > > > > > self.session = None > > > > > > if self.session is None: > > > > > # start a new session if there is None. > > > > > self.sid = self.new_sid() > > > > > self.session = _AppEngineUtilities_Session() > > > > > if 'HTTP_USER_AGENT' in os.environ: > > > > > self.session.ua = os.environ['HTTP_USER_AGENT'] > > > > > else: > > > > > self.session.ua = None > > > > > if 'REMOTE_ADDR' in os.environ: > > > > > self.session.ip = os.environ['REMOTE_ADDR'] > > > > > else: > > > > > self.session.ip = None > > > > > self.session.sid = [self.sid] > > > > > dirty = True > > > > > else: > > > > > # check the age of the token to determine if a new one > > > > > # is required > > > > > duration = datetime.timedelta > > > > > (seconds=self.session_token_ttl) > > > > > session_age_limit = datetime.datetime.now() - duration > > > > > if self.session.last_activity < session_age_limit: > > > > > self.sid = self.new_sid() > > > > > if len(self.session.sid) > 2: > > > > > self.session.sid.remove(self.session.sid[0]) > > > > > self.session.sid.append(self.sid) > > > > > dirty = True > > > > > else: > > > > > self.sid = self.session.sid[-1] > > > > > > self.output_cookie[cookie_name] = self.sid > > > > > self.output_cookie[cookie_name]['path'] = cookie_path > > > > > if set_cookie_expires: > > > > > self.output_cookie[cookie_name]['expires'] = > > > > > self.session_expire_time > > > > > > self.cache['sid'] = > > ... > > read more » --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---