Yea but R would be rotated every 15 seconds which would decrease the
window in which a session is really valid by a large margin.That's why
the session token needs to be tied to every account.
On Jan 23, 1:04 am, jeremy <jeremy.a...@gmail.com> wrote:
> "What I see as a concern with your approach is what happens when the
> server wide variable R gets out of sync with someone's version that
> was crypted based off of it? The original reason the 3 valid token set
> "
>
> that's why i mention that "you can store the last 3 values of R as is
> done now for each sessions sid" - so all 3 would be tried as is done
> now with the sid list on each session entity. you could also count how
> often R has been randomized and hand this iteration index to the
> client as part of the token.
>
> i'm not sure about going primarily with memcache - isn't memcache
> designed only to be a caching layer? memcache isn't volatile in the
> sense of being either up or down. rather, it throws out stored data
> "randomly" as far as the developer is concerned as load increases.
>
> On Jan 23, 1:37 am, "bowman.jos...@gmail.com"
>
> <bowman.jos...@gmail.com> wrote:
> > By the way, I really am not concerned with analysis attacks. It's
> > sniffing/spoofing attacks that are most common for session hijacking.
> > I simply sniff the network and find out what the name and value of the
> > cookie are, and what user agent you are sending. I then duplicate
> > those 2 things and if I'm behind the same NAT as you, I have your
> > session loaded up in my browser. If I'm any good a social hacking, I
> > set my page to auto refresh and then distract you by talking to you
> > until I have your full session by rotating the session tokens past the
> > point of where the one in your browser is invalid, and more than
> > likely the application will make log back in, without logging me out.
> > This is where you may want to consider tieing the session directly to
> > a user account, so a user can only be logged in once at any time, and
> > logging invalidates the current log in if it exists, ie:
> > active_session field on your user model.
>
> > Just some late night thoughts when I really should be asleep.
>
> > On Jan 22, 11:12 pm, jeremy <jeremy.a...@gmail.com> wrote:
>
> > > Hmm, I'm not sure what "session timing" is.
>
> > > I have an idea to reduce writes. Instead of updating the sid of every
> > > session individually, give each session a random value between 0 and
> > > C, and have one application-wide value R randomized every
> > > session_token_ttl seconds to an integer between 0 and C, then hand the
> > > client the value of this as a token:
>
> > > t = (session_id+R)%C
>
> > > then when a client hands the server a token, you can compute
> > > session_id = (t-R)%C
>
> > > (you can store the last 3 values of R as is done now for each sessions
> > > sid)
>
> > > I'm pretty sure there's no analysis attack that would allow a client
> > > to figure out either R at any moment or their own (constant)
> > > session_id. But, i could be wrong about that :\ ... The advantage
> > > would be you're only updating a single datastore entity every
> > > session_token_ttl.
>
> > > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com"
>
> > > <bowman.jos...@gmail.com> wrote:
> > > > I've gone with a different approach that currently achieves similar
> > > > results, that's now available in the trunk. A new variable,
> > > > last_activity_update has been added. It's the amount of seconds that
> > > > needs to pass before that field needs to be updated by doing a put().
> > > > It defaults to 60 seconds, which of course is longer than the duration
> > > > before a put is required to update the session token with the default
> > > > settings.
>
> > > > This will allow developers who wish to lengthen their
> > > > session_token_ttl to a larger interval to still get their
> > > > last_activity update in, useful for session timing. It too is
> > > > customizable so for developers who have no use for this field can set
> > > > it to a large enough number to be irrelevant.
>
> > > > I'm trying to flush out an idea I have to limit the amount of writes
> > > > for the token even further, but am still researching it. If I figure
> > > > it out I will get it in and do another release. Otherwise I will
> > > > release what's there now. Before any release I want to go over the
> > > > refactoring you did as it does look more efficient than what I
> > > > currently have, thanks.
>
> > > > On Jan 22, 6:31 pm, jeremy <jeremy.a...@gmail.com> wrote:
>
> > > > > Ok. I actually modified Session.__init__ locally to do the
> > > > > last_activity on sid rotation (i also refactored it a bit to reduce
> > > > > repeated code blocks). Regarding google.com's SID cookie - i'm not
> > > > > seeing the sid update within minutes. I'm not sure why yours rotates
> > > > > so quickly, but it's something entirely configurable in your code so
> > > > > it shouldn't matter. Anyway, here's my version of Session.__init__ :
>
> > > > > def __init__(self, cookie_path=DEFAULT_COOKIE_PATH,
> > > > > cookie_name=COOKIE_NAME,
> > > > > session_expire_time=SESSION_EXPIRE_TIME,
> > > > > clean_check_percent=CLEAN_CHECK_PERCENT,
> > > > > integrate_flash=INTEGRATE_FLASH, check_ip=CHECK_IP,
> > > > > check_user_agent=CHECK_USER_AGENT,
> > > > > set_cookie_expires=SET_COOKIE_EXPIRES,
> > > > > session_token_ttl=SESSION_TOKEN_TTL):
> > > > > """
> > > > > Initializer
>
> > > > > Args:
> > > > > cookie_name: The name for the session cookie stored in the
> > > > > browser.
> > > > > session_expire_time: The amount of time between requests
> > > > > before the
> > > > > session expires.
> > > > > clean_check_percent: The percentage of requests the will
> > > > > fire off a
> > > > > cleaning routine that deletes stale session data.
> > > > > integrate_flash: If appengine-utilities flash utility should
> > > > > be
> > > > > integrated into the session object.
> > > > > check_ip: If browser IP should be used for session
> > > > > validation
> > > > > check_user_agent: If the browser user agent should be used
> > > > > for
> > > > > sessoin validation.
> > > > > set_cookie_expires: True adds an expires field to the cookie
> > > > > so
> > > > > it saves even if the browser is closed.
> > > > > session_token_ttl: Number of sessions a session token is
> > > > > valid
> > > > > for before it should be regenerated.
> > > > > """
>
> > > > > self.cookie_path = cookie_path
> > > > > self.cookie_name = cookie_name
> > > > > self.session_expire_time = session_expire_time
> > > > > self.clean_check_percent = clean_check_percent
> > > > > self.integrate_flash = integrate_flash
> > > > > self.check_user_agent = check_user_agent
> > > > > self.check_ip = check_ip
> > > > > self.set_cookie_expires = set_cookie_expires
> > > > > self.session_token_ttl = session_token_ttl
>
> > > > > # make sure the page is not cached in the browser
> > > > > self.no_cache_headers()
> > > > > """
> > > > > Check the cookie and, if necessary, create a new one.
> > > > > """
> > > > > self.cache = {}
> > > > > self.sid = None
> > > > > string_cookie = os.environ.get('HTTP_COOKIE', '')
> > > > > self.cookie = Cookie.SimpleCookie()
> > > > > self.output_cookie = Cookie.SimpleCookie()
> > > > > self.cookie.load(string_cookie)
>
> > > > > dirty = False
>
> > > > > # check for existing cookie
> > > > > if self.cookie.get(cookie_name):
> > > > > self.sid = self.cookie[cookie_name].value
> > > > > self.session = self._get_session() # will return None if
> > > > > sid expired
> > > > > else:
> > > > > self.sid = self.new_sid()
> > > > > self.session = None
>
> > > > > if self.session is None:
> > > > > # start a new session if there is None.
> > > > > self.sid = self.new_sid()
> > > > > self.session = _AppEngineUtilities_Session()
> > > > > if 'HTTP_USER_AGENT' in os.environ:
> > > > > self.session.ua = os.environ['HTTP_USER_AGENT']
> > > > > else:
> > > > > self.session.ua = None
> > > > > if 'REMOTE_ADDR' in os.environ:
> > > > > self.session.ip = os.environ['REMOTE_ADDR']
> > > > > else:
> > > > > self.session.ip = None
> > > > > self.session.sid = [self.sid]
> > > > > dirty = True
> > > > > else:
> > > > > # check the age of the token to determine if a new one
> > > > > # is required
> > > > > duration = datetime.timedelta
> > > > > (seconds=self.session_token_ttl)
> > > > > session_age_limit = datetime.datetime.now() - duration
> > > > > if self.session.last_activity < session_age_limit:
> > > > > self.sid = self.new_sid()
> > > > > if len(self.session.sid) > 2:
> > > > > self.session.sid.remove(self.session.sid[0])
> > > > > self.session.sid.append(self.sid)
> > > > > dirty = True
> > > > > else:
> > > > > self.sid = self.session.sid[-1]
>
> > > > > self.output_cookie[cookie_name] = self.sid
> > > > > self.output_cookie[cookie_name]['path'] = cookie_path
> > > > > if set_cookie_expires:
> > > > > self.output_cookie[cookie_name]['expires'] =
> > > > > self.session_expire_time
>
> > > > > self.cache['sid'] =
>
> ...
>
> read more »
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
