The problems I see what that approach is: - 1 time token can be sniffed. We have limited ssl support with appengine which is why the session token client side needs to change. - Relying on gears, flash, or even javascript creates client side dependencies. gaeutilities already has a dependency on cookies because it's low enough level trying to create a way to append the session token to all requests for all applications wasn't really possible. Though I do have plans to expose the session token via some method to provide an opportunity for people to do that. Adding more dependencies is something I want to avoid.
On Jan 24, 12:57 pm, yejun <yej...@gmail.com> wrote: > Maybe store a secure token locally on gears or flash, then send one > time token by javascript. But the initial token still need to be > delivered by ssl. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---