On 21 September 2011 01:41, bowman.jos...@gmail.com <bowman.jos...@gmail.com> wrote: > The purpose of restricting logins to one session is to avoid session > hijacking. gaeutilities has features that help your site avoid session > hijacking which have been made even easier with tools like Firesheep > - http://codebutler.com/firesheep
> Since (as of last I checked) you can't use ssl when using your own domains > cookie sniffing is simple for appengine apps. I don't know if I'm understanding this; why would that help? Wouldn't a sidejacked session look exactly like the currently logged in user anyway? How does restricting logged in users to always use the same session help here? What it would do, I guess, is allow you to keep stuff like profile info in the session, and have it immediately available on login. > Sure, other libraries are faster, and if all you care about is performance, > then I'd suggest using them. The only reason to choose gaeutilities is it > was written with security prioritized over performance, therefore is more > secure than the other libraries. Not to say it's secure, without ssl it's > not truly secure, but it's much more difficult to spoof a gaeutilities > session if configured correctly. I'm sticking with gaeutilities for now, because the security looks pretty solid. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-appengine/-/XWaPWJ54gt8J. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- Emlyn http://my.syyn.cc - Synchonise Google+, Facebook, WordPress and Google Buzz posts, comments and all. http://point7.wordpress.com - My blog Find me on Facebook and Buzz -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
