I have some ideas now that I think will help out over all. Keep an eye
out for the next release. It won't be perfect, but unless Google can
provide some sort of mechanism for session tokens via their User API,
or possibly give us another less write heavy storage mechanism to
handle tasks like these, I think it's going to the best I can do.
On Jan 23, 4:59 pm, jeremy <jeremy.a...@gmail.com> wrote:
> aah, i see.
>
> On Jan 23, 10:08 am, "bowman.jos...@gmail.com"
>
> <bowman.jos...@gmail.com> wrote:
> > Yea but R would be rotated every 15 seconds which would decrease the
> > window in which a session is really valid by a large margin.That's why
> > the session token needs to be tied to every account.
>
> > On Jan 23, 1:04 am, jeremy <jeremy.a...@gmail.com> wrote:
>
> > > "What I see as a concern with your approach is what happens when the
> > > server wide variable R gets out of sync with someone's version that
> > > was crypted based off of it? The original reason the 3 valid token set
> > > "
>
> > > that's why i mention that "you can store the last 3 values of R as is
> > > done now for eachsessionssid" - so all 3 would be tried as is done
> > > now with the sid list on each session entity. you could also count how
> > > often R has been randomized and hand this iteration index to the
> > > client as part of the token.
>
> > > i'm not sure about going primarily with memcache - isn't memcache
> > > designed only to be a caching layer? memcache isn't volatile in the
> > > sense of being either up or down. rather, it throws out stored data
> > > "randomly" as far as the developer is concerned as load increases.
>
> > > On Jan 23, 1:37 am, "bowman.jos...@gmail.com"
>
> > > <bowman.jos...@gmail.com> wrote:
> > > > By the way, I really am not concerned with analysis attacks. It's
> > > > sniffing/spoofing attacks that are most common for session hijacking.
> > > > I simply sniff the network and find out what the name and value of the
> > > > cookie are, and what user agent you are sending. I then duplicate
> > > > those 2 things and if I'm behind the same NAT as you, I have your
> > > > session loaded up in my browser. If I'm any good a social hacking, I
> > > > set my page to auto refresh and then distract you by talking to you
> > > > until I have your full session by rotating the session tokens past the
> > > > point of where the one in your browser is invalid, and more than
> > > > likely the application will make log back in, without logging me out.
> > > > This is where you may want to consider tieing the session directly to
> > > > a user account, so a user can only be logged in once at any time, and
> > > > logging invalidates the current log in if it exists, ie:
> > > > active_session field on your user model.
>
> > > > Just some late night thoughts when I really should be asleep.
>
> > > > On Jan 22, 11:12 pm, jeremy <jeremy.a...@gmail.com> wrote:
>
> > > > > Hmm, I'm not sure what "session timing" is.
>
> > > > > I have an idea to reduce writes. Instead of updating the sid of every
> > > > > session individually, give each session a random value between 0 and
> > > > > C, and have one application-wide value R randomized every
> > > > > session_token_ttl seconds to an integer between 0 and C, then hand the
> > > > > client the value of this as a token:
>
> > > > > t = (session_id+R)%C
>
> > > > > then when a client hands the server a token, you can compute
> > > > > session_id = (t-R)%C
>
> > > > > (you can store the last 3 values of R as is done now for eachsessions
> > > > > sid)
>
> > > > > I'm pretty sure there's no analysis attack that would allow a client
> > > > > to figure out either R at any moment or their own (constant)
> > > > > session_id. But, i could be wrong about that :\ ... The advantage
> > > > > would be you're only updating a single datastore entity every
> > > > > session_token_ttl.
>
> > > > > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com"
>
> > > > > <bowman.jos...@gmail.com> wrote:
> > > > > > I've gone with a different approach that currently achieves similar
> > > > > > results, that's now available in the trunk. A new variable,
> > > > > > last_activity_update has been added. It's the amount of seconds that
> > > > > > needs to pass before that field needs to be updated by doing a
> > > > > > put().
> > > > > > It defaults to 60 seconds, which of course is longer than the
> > > > > > duration
> > > > > > before a put is required to update the session token with the
> > > > > > default
> > > > > > settings.
>
> > > > > > This will allow developers who wish to lengthen their
> > > > > > session_token_ttl to a larger interval to still get their
> > > > > > last_activity update in, useful for session timing. It too is
> > > > > > customizable so for developers who have no use for this field can
> > > > > > set
> > > > > > it to a large enough number to be irrelevant.
>
> > > > > > I'm trying to flush out an idea I have to limit the amount of writes
> > > > > > for the token even further, but am still researching it. If I figure
> > > > > > it out I will get it in and do another release. Otherwise I will
> > > > > > release what's there now. Before any release I want to go over the
> > > > > > refactoring you did as it does look more efficient than what I
> > > > > > currently have, thanks.
>
> > > > > > On Jan 22, 6:31 pm, jeremy <jeremy.a...@gmail.com> wrote:
>
> > > > > > > Ok. I actually modified Session.__init__ locally to do the
> > > > > > > last_activity on sid rotation (i also refactored it a bit to
> > > > > > > reduce
> > > > > > > repeated code blocks). Regarding google.com's SID cookie - i'm not
> > > > > > > seeing the sid update within minutes. I'm not sure why yours
> > > > > > > rotates
> > > > > > > so quickly, but it's something entirely configurable in your code
> > > > > > > so
> > > > > > > it shouldn't matter. Anyway, here's my version of
> > > > > > > Session.__init__ :
>
> > > > > > > def __init__(self, cookie_path=DEFAULT_COOKIE_PATH,
> > > > > > > cookie_name=COOKIE_NAME,
> > > > > > > session_expire_time=SESSION_EXPIRE_TIME,
> > > > > > > clean_check_percent=CLEAN_CHECK_PERCENT,
> > > > > > > integrate_flash=INTEGRATE_FLASH, check_ip=CHECK_IP,
> > > > > > > check_user_agent=CHECK_USER_AGENT,
> > > > > > > set_cookie_expires=SET_COOKIE_EXPIRES,
> > > > > > > session_token_ttl=SESSION_TOKEN_TTL):
> > > > > > > """
> > > > > > > Initializer
>
> > > > > > > Args:
> > > > > > > cookie_name: The name for the session cookie stored in
> > > > > > > the
> > > > > > > browser.
> > > > > > > session_expire_time: The amount of time between requests
> > > > > > > before the
> > > > > > > session expires.
> > > > > > > clean_check_percent: The percentage of requests the will
> > > > > > > fire off a
> > > > > > > cleaning routine that deletes stale session data.
> > > > > > > integrate_flash: If appengine-utilities flash utility
> > > > > > > should
> > > > > > > be
> > > > > > > integrated into the session object.
> > > > > > > check_ip: If browser IP should be used for session
> > > > > > > validation
> > > > > > > check_user_agent: If the browser user agent should be
> > > > > > > used
> > > > > > > for
> > > > > > > sessoin validation.
> > > > > > > set_cookie_expires: True adds an expires field to the
> > > > > > > cookie
> > > > > > > so
> > > > > > > it saves even if the browser is closed.
> > > > > > > session_token_ttl: Number ofsessionsa session token is
> > > > > > > valid
> > > > > > > for before it should be regenerated.
> > > > > > > """
>
> > > > > > > self.cookie_path = cookie_path
> > > > > > > self.cookie_name = cookie_name
> > > > > > > self.session_expire_time = session_expire_time
> > > > > > > self.clean_check_percent = clean_check_percent
> > > > > > > self.integrate_flash = integrate_flash
> > > > > > > self.check_user_agent = check_user_agent
> > > > > > > self.check_ip = check_ip
> > > > > > > self.set_cookie_expires = set_cookie_expires
> > > > > > > self.session_token_ttl = session_token_ttl
>
> > > > > > > # make sure the page is not cached in the browser
> > > > > > > self.no_cache_headers()
> > > > > > > """
> > > > > > > Check the cookie and, if necessary, create a new one.
> > > > > > > """
> > > > > > > self.cache = {}
> > > > > > > self.sid = None
> > > > > > > string_cookie = os.environ.get('HTTP_COOKIE', '')
> > > > > > > self.cookie = Cookie.SimpleCookie()
> > > > > > > self.output_cookie = Cookie.SimpleCookie()
> > > > > > > self.cookie.load(string_cookie)
>
> > > > > > > dirty = False
>
> > > > > > > # check for existing cookie
> > > > > > > if self.cookie.get(cookie_name):
> > > > > > > self.sid = self.cookie[cookie_name].value
> > > > > > > self.session = self._get_session() # will return None
> > > > > > > if
> > > > > > > sid expired
> > > > > > > else:
> > > > > > > self.sid = self.new_sid()
> > > > > > > self.session = None
>
> > > > > > > if self.session is None:
> > > > > > > # start a new session if there is None.
> > > > > > > self.sid = self.new_sid()
> > > > > > > self.session = _AppEngineUtilities_Session()
> > > > > > > if 'HTTP_USER_AGENT' in os.environ:
> > > > > > > self.session.ua = os.environ['HTTP_USER_AGENT']
> > > > > > > else:
> > > > > > > self.session.ua = None
> > > > > > > if 'REMOTE_ADDR' in os.environ:
> > > > > > > self.session.ip = os.environ['REMOTE_ADDR']
> > > > > > > else:
> > > > > > > self.session.ip = None
> > > > > > > self.session.sid = [self.sid]
> > > > > > > dirty = True
> > > > > > > else:
> > > > > > > # check the age of the token to determine if a new one
> > > > > > > # is required
> > > > > > >
>
> ...
>
> read more »
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
