[google-appengine] Re: hiding private key
Brian, If you plan on storing the key in a file, I would suggest using the svn:ignore feature: http://svnbook.red-bean.com/en/1.5/svn-book.html#svn.advanced.props.special.ignore You can tell svn to not check in any file that matches your private filename. Just let your collaborators know they're supposed to add their version of the private file after svn checkout. -Bill On Jan 23, 8:21 pm, thebrianschott wrote: > Dave, > > Thank you for clarifying that. I guess I would have to put the key > into the datastore, but that may not be practical for me either. I > have not decided yet how much access to the datastore I will give > users of my app, yet. I don't think they need any, but I cannot be > sure now. > > In any case, thanks again for sticking with this discussion. > > On Jan 23, 6:51 pm, David Symonds wrote: > > > On Sat, Jan 24, 2009 at 7:41 AM, thebrianschott > > wrote: > > > I think I can save my secretkeyin a static file that is not "add"ed > > > to the svn and I was told by David that everything (source, etc) is > > > secreat that is committed to the appspot. So as long as the static > > > file is not "add"ed to the svn, it's secure, isn't it? > > > If it's in a static place (i.e. you use static_files or static_dir > > directives in app.yaml), it'll be accessible by any web user. Nothing > > else is directly accessible, though, so you'd be fine. > > > Dave. > > Brian in Atlanta --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Google's Source Control Vision
I use git for controlling my App Engine source code. ( For example, I released my early attempt at a blog over at http://github.com/DocSavage/bloog ) When you deploy on App Engine, you can set the version ID of your code. I've created a shell script which automatically generates the git version hash and puts it in the app.yaml "version" key/value. App Engine will let you use any alphanumeric string for versions, so git hashes are OK. So your team can use whatever source control system for the code (git is great for distributed teams), and when you deploy, you have multiple versions of your app in the cloud ready to run. Each version's ID tells you the exact repository state. The App Engine server console lets you easily switch the app version used for your main url, and it even lets you test each version separately through longer urls at appspot.com. The system is pretty nice. -Bill On Jan 22, 5:33 pm, GenghisOne wrote: > Does the current version of Google's App Engine vision address > distributed software development and source control? > > Or put more practically, how can a couple of distributed software > developers collaborate on a Google App? For instance, how can I pull > down the latest source and update it? > > Thx. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: 网页中有汉字 ,就会产生错误,不知是啥原因
在文件开始加上#coding=utf-8 2009/1/22 网页中有汉字,就会产生错误,不知是啥原因 > > this code right in local development environment, but error on update > to server. > > import wsgiref.handlers > from google.appengine.ext import webapp > > class MainPage(webapp.RequestHandler): > def get(self): >self.response.headers['Content-Type'] = 'text/html; charset=utf-8' >self.response.out.write('Hello, have no thing,有了汉字就不 > 灵了?') > > def main(): > application = webapp.WSGIApplication( >[('/', MainPage)], > debug=True) > wsgiref.handlers.CGIHandler().run(application) > > if __name__ == "__main__": > main() > > > > Error: Server Error > > The server encountered an error and could not complete your request. > If the problem persists, please report your problem and mention this > error message and the query that caused it. > > > > > > -- Stay hungry,Stay foolish. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: hiding private key
Dave, Thank you for clarifying that. I guess I would have to put the key into the datastore, but that may not be practical for me either. I have not decided yet how much access to the datastore I will give users of my app, yet. I don't think they need any, but I cannot be sure now. In any case, thanks again for sticking with this discussion. On Jan 23, 6:51 pm, David Symonds wrote: > On Sat, Jan 24, 2009 at 7:41 AM, thebrianschott > wrote: > > I think I can save my secretkeyin a static file that is not "add"ed > > to the svn and I was told by David that everything (source, etc) is > > secreat that is committed to the appspot. So as long as the static > > file is not "add"ed to the svn, it's secure, isn't it? > > If it's in a static place (i.e. you use static_files or static_dir > directives in app.yaml), it'll be accessible by any web user. Nothing > else is directly accessible, though, so you'd be fine. > > Dave. Brian in Atlanta --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Custom Login System
By the way, relying on javascript to handle hashing passwords and such isn't a reliable solution. If that's what's coming from the browser, then anyone else can just sniff that hash and send it as the password with the username. In the end you're relying on data from the client being secure, which is bad. I'd suggest, if you don't want to use the Google User API, you look into still using other ID providers, such as OpenID, Oauth, or Facebook connect. They will handle the login via SSL on their end, and the account validation would happen via urlfetch between your application and the provider, leaving no traffic to be sniffed on the users network. If you really need a unique user system, I suppose you could set up a VPS server and have it act as an OpenID provider. One thought that just hit me as I writing this up is you could also use the build in application.appspot.com ssl that google provides you to handle the login by making it an OpenID provider. I believe there's a sample application out there for making an OpenID provider on GAE. Then your application, if you're using your own domain name, could urlfetch to itself for that portion of the authentication, in order to get the cookie domain set correctly for your sessions. This is something that would make an interesting little project, I wish I had time for. On Jan 23, 10:42 pm, "bowman.jos...@gmail.com" wrote: > gaeutilities -http://gaeutilities.appspot.com/- has a session class > built specifically to work around that problem. The session id (used > for matching data to the session) is never passed to the browser, > rather is uses a session token system. By default a session token is > valid for only 5 seconds, after which a new session token is > generated. The current token, plus previous two, are stored and are > valid on requests in order to not cause problems with sites who's > pages may make multiple requests (AJAX oriented sites). It also > includes a middleware class so you can plug it in and use it directly > with memcache. > > Version 1.1.1 is the current release, and the next release will > include some new functionality to try and increase the performance by > relying more on memcache (while still using the datastore in order to > provide a completely reliable solution). It already uses both, but I'm > working on cutting down the amount of writes. > > It's BSD licensed, open source. There are no fees or attribution > requirements for it's use. > > This will not provide you with a login system. However, it does plug > directly into django using the middleware so you can use django's > authentication system. I in fact am currently using it, django, and > the appenginepatch project -http://code.google.com/p/app-engine-patch/ > - with some custom backends to handle OpenId and Oauth authentication > for my user management system. > > On Jan 23, 4:16 pm, MajorProgamming wrote: > > > "Javascript on your login form should first hash the password, then > > hash the result with a salt - say the session id" > > I assume that's only true if I opt out of SSL? > > > "That way the contents of the cookie are no use to anyone, all useful > > info > > is stored in memcache, where attackers can't get it." > > But can't the attackers simply spoof a request with that session id in > > the cookies? > > > On Jan 23, 4:01 pm, Greg wrote: > > > > First, if you are not a security expert, consider using Django's > > > authentication framework. Online security is not easy - there are a > > > lot of things you have to get right, and missing just one of them > > > means you've failed. > > > > I have a reasonable amount of experience with online security, so I > > > built my own authentication system on top of gmemsess, a memchache- > > > backed session object. Unfortunately my code isn't modular enough to > > > publish, but here are a few pointers... > > > > - SSL is always good, because it means anyone with access to your > > > comms can't easily see what you are doing. However, it isn't crucial, > > > as long as your customers can live with the unlikely event of someone > > > sniffing their traffic - a good authentication scheme will prevent > > > attackers sniffing passwords, although everything they do after > > > logging in may be visible. > > > > - Cookies are far more convenient than trying to pass a session ID > > > with every request. Your cookie should contain a single random ID, > > > which your app then uses to find the session object in memcache. That > > > way the contents of the cookie are no use to anyone, all useful info > > > is stored in memcache, where attackers can't get it. > > > > - Store a hash of the password on appengine, not the password itself. > > > This means admin cannot steal passwords, as well as allowing for safe > > > transport of the password. > > > > - Javascript on your login form should first hash the password, then > > > hash the result with a salt - say the session id. The extra salted > > > hash prevents a sniffer fr
[google-appengine] Re: Custom Login System
gaeutilities - http://gaeutilities.appspot.com/ - has a session class built specifically to work around that problem. The session id (used for matching data to the session) is never passed to the browser, rather is uses a session token system. By default a session token is valid for only 5 seconds, after which a new session token is generated. The current token, plus previous two, are stored and are valid on requests in order to not cause problems with sites who's pages may make multiple requests (AJAX oriented sites). It also includes a middleware class so you can plug it in and use it directly with memcache. Version 1.1.1 is the current release, and the next release will include some new functionality to try and increase the performance by relying more on memcache (while still using the datastore in order to provide a completely reliable solution). It already uses both, but I'm working on cutting down the amount of writes. It's BSD licensed, open source. There are no fees or attribution requirements for it's use. This will not provide you with a login system. However, it does plug directly into django using the middleware so you can use django's authentication system. I in fact am currently using it, django, and the appenginepatch project - http://code.google.com/p/app-engine-patch/ - with some custom backends to handle OpenId and Oauth authentication for my user management system. On Jan 23, 4:16 pm, MajorProgamming wrote: > "Javascript on your login form should first hash the password, then > hash the result with a salt - say the session id" > I assume that's only true if I opt out of SSL? > > "That way the contents of the cookie are no use to anyone, all useful > info > is stored in memcache, where attackers can't get it." > But can't the attackers simply spoof a request with that session id in > the cookies? > > On Jan 23, 4:01 pm, Greg wrote: > > > First, if you are not a security expert, consider using Django's > > authentication framework. Online security is not easy - there are a > > lot of things you have to get right, and missing just one of them > > means you've failed. > > > I have a reasonable amount of experience with online security, so I > > built my own authentication system on top of gmemsess, a memchache- > > backed session object. Unfortunately my code isn't modular enough to > > publish, but here are a few pointers... > > > - SSL is always good, because it means anyone with access to your > > comms can't easily see what you are doing. However, it isn't crucial, > > as long as your customers can live with the unlikely event of someone > > sniffing their traffic - a good authentication scheme will prevent > > attackers sniffing passwords, although everything they do after > > logging in may be visible. > > > - Cookies are far more convenient than trying to pass a session ID > > with every request. Your cookie should contain a single random ID, > > which your app then uses to find the session object in memcache. That > > way the contents of the cookie are no use to anyone, all useful info > > is stored in memcache, where attackers can't get it. > > > - Store a hash of the password on appengine, not the password itself. > > This means admin cannot steal passwords, as well as allowing for safe > > transport of the password. > > > - Javascript on your login form should first hash the password, then > > hash the result with a salt - say the session id. The extra salted > > hash prevents a sniffer from simply sending the hash to login, and > > also guards against using rainbow tables to discover the password. > > Make sure you destroy the field containing the original password, so > > it isn't sent in clear along with the hash! > > > - On appengine, hash the stored password hash with the salt and > > compare with the sent hash - they should be the same. > > > - I usually disable the account if I get three wrong passwords, to > > prevent dictionary attacks. This requires some admin work to handle > > users who've been locked out, but means you don't need to implement > > captchas. > > > - Authentication is only the first step - you need to keep security at > > the top of your agenda throughout the whole application. For instance, > > if you have a url like fox.delete?id=123 that deletes a user's fox, > > always check that 123 actually belongs to this user. Otherwise users > > could delete other user's foxes by retyping the url. > > > gmemsess is athttp://code.google.com/p/gmemsess/ > > > Cheers! > > Greg. > > > On Jan 24, 8:42 am, MajorProgamming wrote: > > > > I am currently working on a App that requires that I use a custom sign > > > in method. > > > > I was wondering if there are any security flaws I should be aware > > > of... > > > > Also: > > > > I was wondering if I must use SSL for proper security? > > > > Is the best way to maintain sessions through using cookies? > > > > Do I have to perform some sort of check on the cookie even though I'm > > > using SSL? If so should I
[google-appengine] Re: is gaeutilities sessions the only 3rd party session manager?
I have some ideas now that I think will help out over all. Keep an eye out for the next release. It won't be perfect, but unless Google can provide some sort of mechanism for session tokens via their User API, or possibly give us another less write heavy storage mechanism to handle tasks like these, I think it's going to the best I can do. On Jan 23, 4:59 pm, jeremy wrote: > aah, i see. > > On Jan 23, 10:08 am, "bowman.jos...@gmail.com" > > wrote: > > Yea but R would be rotated every 15 seconds which would decrease the > > window in which a session is really valid by a large margin.That's why > > the session token needs to be tied to every account. > > > On Jan 23, 1:04 am, jeremy wrote: > > > > "What I see as a concern with your approach is what happens when the > > > server wide variable R gets out of sync with someone's version that > > > was crypted based off of it? The original reason the 3 valid token set > > > " > > > > that's why i mention that "you can store the last 3 values of R as is > > > done now for eachsessionssid" - so all 3 would be tried as is done > > > now with the sid list on each session entity. you could also count how > > > often R has been randomized and hand this iteration index to the > > > client as part of the token. > > > > i'm not sure about going primarily with memcache - isn't memcache > > > designed only to be a caching layer? memcache isn't volatile in the > > > sense of being either up or down. rather, it throws out stored data > > > "randomly" as far as the developer is concerned as load increases. > > > > On Jan 23, 1:37 am, "bowman.jos...@gmail.com" > > > > wrote: > > > > By the way, I really am not concerned with analysis attacks. It's > > > > sniffing/spoofing attacks that are most common for session hijacking. > > > > I simply sniff the network and find out what the name and value of the > > > > cookie are, and what user agent you are sending. I then duplicate > > > > those 2 things and if I'm behind the same NAT as you, I have your > > > > session loaded up in my browser. If I'm any good a social hacking, I > > > > set my page to auto refresh and then distract you by talking to you > > > > until I have your full session by rotating the session tokens past the > > > > point of where the one in your browser is invalid, and more than > > > > likely the application will make log back in, without logging me out. > > > > This is where you may want to consider tieing the session directly to > > > > a user account, so a user can only be logged in once at any time, and > > > > logging invalidates the current log in if it exists, ie: > > > > active_session field on your user model. > > > > > Just some late night thoughts when I really should be asleep. > > > > > On Jan 22, 11:12 pm, jeremy wrote: > > > > > > Hmm, I'm not sure what "session timing" is. > > > > > > I have an idea to reduce writes. Instead of updating the sid of every > > > > > session individually, give each session a random value between 0 and > > > > > C, and have one application-wide value R randomized every > > > > > session_token_ttl seconds to an integer between 0 and C, then hand the > > > > > client the value of this as a token: > > > > > > t = (session_id+R)%C > > > > > > then when a client hands the server a token, you can compute > > > > > session_id = (t-R)%C > > > > > > (you can store the last 3 values of R as is done now for eachsessions > > > > > sid) > > > > > > I'm pretty sure there's no analysis attack that would allow a client > > > > > to figure out either R at any moment or their own (constant) > > > > > session_id. But, i could be wrong about that :\ ... The advantage > > > > > would be you're only updating a single datastore entity every > > > > > session_token_ttl. > > > > > > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com" > > > > > > wrote: > > > > > > I've gone with a different approach that currently achieves similar > > > > > > results, that's now available in the trunk. A new variable, > > > > > > last_activity_update has been added. It's the amount of seconds that > > > > > > needs to pass before that field needs to be updated by doing a > > > > > > put(). > > > > > > It defaults to 60 seconds, which of course is longer than the > > > > > > duration > > > > > > before a put is required to update the session token with the > > > > > > default > > > > > > settings. > > > > > > > This will allow developers who wish to lengthen their > > > > > > session_token_ttl to a larger interval to still get their > > > > > > last_activity update in, useful for session timing. It too is > > > > > > customizable so for developers who have no use for this field can > > > > > > set > > > > > > it to a large enough number to be irrelevant. > > > > > > > I'm trying to flush out an idea I have to limit the amount of writes > > > > > > for the token even further, but am still researching it. If I figure > > > > > > it out I will get it in and do another release. Otherwise I will > > > > > >
[google-appengine] Re: Flash ExternalInterface and GAE
I guess I must have been mistaken that the flash could communicate with javascript cause I tried it again and it cannot. I posted my examples... they both use the same exact html file and same exact swf file: lets-tango.appspot.com <- hosted on google app engine digitillusion.ethereallan.org/external <- hosted on my server if you use firebug you'll notice that your callbacksInitialized() is hit on the 2nd one but not the first. here is the actionscript: import flash.external.*; //Set up Javascript to Actioscript var methodName:String = "sendTextFromHtml"; var instance:Object = null; var method:Function = recieveTextFromHtml; addCallBacks(); function addCallBacks(){ var wasSuccessful:Boolean = ExternalInterface.addCallback(methodName, instance, method); ExternalInterface.call("callbacksInitialized"); } //Actionscript to Javascript //ExternalInterface.call("recieveTextFromFlash", _root.theText.text); function recieveTextFromHtml(t) { _root.theText.text = t; } _root.button.onRelease = function() { ExternalInterface.call("recieveTextFromFlash", _root.theText.text); _root.theText.text = ""; } if anybody has any ideas what might be up plase let me know! This is killing me! thanks for your time! On Jan 22, 10:20 pm, BTang wrote: > I've been struggling with this for the past couple hours now and I > really don't know what could be wrong. I'm simply trying to get > Javascript to communicate text with Flash. I found this great example > with this source > > http://blog.circlecube.com/wp-content/uploads/2008/02/ActionscriptJav... > > I ran the html file locally and it works just fine sending and > retrieving text from flash. Then I load that same exact sample into my > dev google app server and I can't send the text from javascript to > flash. Oddly enough though flash is able to send Javascript text. Can > anybody see if they can get this running with GAE? Thanks a million! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: How to append to BlobProperty
db.Blob is a subclass of str. Try this code: class Storage(db.Model): blob = db.BlobProperty() def append(self, value): self.blob += value s = Storage() s.blob = 'abc' s.append('def') s.put() On Jan 24, 3:20 am, Will wrote: > Hi all, > > I'd like to append a byte string to a db.BlobProperty, but can't figure out > how. For example, > > class Storage(db.Model) > blob = db.BlobProperty() > > def append(s, ext) > s.blob += ext # want something like this > > I've tried to construct a db.Blob, like this: > tmp = db.Blob(s.blob) > > but failed because db.Blob's constructor only takes a str object. > > Any ideas? Thanks in advance. > > Will --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Django, including a file
> Has anyone got include working? I've been searching everywhere but > find any simple examples of AppEngine including templates! > {% include %} works for me, I'm using app-engine-patch. Which version of Django do you use? What is your folder structure, where the templates are kept (both the parent and the included one)? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Complex tagging of items
I have a bit of a problem coming up with an efficient data model/algo for a project I am working on: I have a few hundred items, each tagged with zero or more tags. I need to be able to fetch items that, for example, are tagged with tag1 AND (tag2 OR tag3) AND NOT tag4. Any help would be greatly appreciated! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Google App Engine with ClientLogin Interface
aha. i had the service set to "apps" on the initial token request. i set it to ah and all is well. On Jan 23, 6:34 pm, ghostrocket wrote: > Well ... now I am a little closer. > > It seems if I pull the auth token I am given when I log directly into > the website, and navigate > to:http://yourapp.appspot.com/_ah/login?auth=myauthtoken > [making sure i've already cleared all cookies etc] I WILL receive the > Set-Cooke: ASCID directive. > > If I use the "Auth" token I receive via the ClientLogin ... I will get > a 500 error and no Set-Cookie directive. What gives??? This doesn't > seem to make any sense. > > On Jan 23, 4:57 pm, ghostrocket wrote: > > > > > I seem to be able to get the "Auth" token correctly, but attempts to > > use it in the header when I access later pages still just return me > > the login page's HTML. > > > From what I understand from previous posts, I need to make a call > > tohttp://yourapp.appspot.com/_ah/login?auth=myauthtokenwihichwill then > > give me an ACSID cookie which then needs to be passed in subsequent > > calls in order to maintain an authenticated state. > > > I'm not able to retrieve this cookie programmatically and I do not see > > this cookie being set when I simply put that url in a web browser and > > trace the cookies being set. > > > What gives? ps. i'm doing this objective-c and can provide code if > > that helps. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: hiding private key
On Sat, Jan 24, 2009 at 7:41 AM, thebrianschott wrote: > I think I can save my secret key in a static file that is not "add"ed > to the svn and I was told by David that everything (source, etc) is > secreat that is committed to the appspot. So as long as the static > file is not "add"ed to the svn, it's secure, isn't it? If it's in a static place (i.e. you use static_files or static_dir directives in app.yaml), it'll be accessible by any web user. Nothing else is directly accessible, though, so you'd be fine. Dave. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Calculating Ranks
Hi, I want to calculate rank of an entity (say a user) based on some property (say score, which keeps changing). Ryan mentioned during the last appengine chat that there is an implementation which does this and that you guys are planning to open source it. Just wanted to know how long it might take for that to happen. Thank you, Regards, Indraneel --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Google App Engine with ClientLogin Interface
Well ... now I am a little closer. It seems if I pull the auth token I am given when I log directly into the website, and navigate to: http://yourapp.appspot.com/_ah/login?auth=myauthtoken [making sure i've already cleared all cookies etc] I WILL receive the Set-Cooke: ASCID directive. If I use the "Auth" token I receive via the ClientLogin ... I will get a 500 error and no Set-Cookie directive. What gives??? This doesn't seem to make any sense. On Jan 23, 4:57 pm, ghostrocket wrote: > I seem to be able to get the "Auth" token correctly, but attempts to > use it in the header when I access later pages still just return me > the login page's HTML. > > From what I understand from previous posts, I need to make a call > tohttp://yourapp.appspot.com/_ah/login?auth=myauthtokenwihich will then > give me an ACSID cookie which then needs to be passed in subsequent > calls in order to maintain an authenticated state. > > I'm not able to retrieve this cookie programmatically and I do not see > this cookie being set when I simply put that url in a web browser and > trace the cookies being set. > > What gives? ps. i'm doing this objective-c and can provide code if > that helps. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Marzia Please Help with Account ID Problems!
Marzia, I tried "reply to author" and sent you the info this morning. Please let me know if you didn't get it, and I'll send it again. Thanks for you help! On Jan 23, 9:13 am, Marzia Niccolai wrote: > Hi, > > Please send me the apps and email address involved. > > -Marzia > > On Thu, Jan 22, 2009 at 11:49 PM, Devel63 wrote: > > > Hi Marzia, > > > I cannot successfully invite developers to an app using Google Apps > > authentication: when the invited developer clicks on the Apps > > confirmation link, they get an error page. > > > If instead of inviting a developer from the Apps domain to which I > > restricted the app, I invite a developer from a different Apps domain, > > it works! > > > It's possible I unwittingly screwed up this whole account. One app > > accepts Google IDs, and the other accepts Google App IDs. But I just > > realized that the although the entire account is "owned" by a standard > > Google ID, I've been using as a developer login an account that exists > > both as a Google ID and as a Google Apps ID. > > > I sure could use some help straightening this out! If we could take > > this offline, I can give you the account IDs and email addresses > > involved. > > > Thanks, > > Dan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] verification & uploading, spurious account mixing
I have two testing domains, one verified and one not. By verified, I mean the process of giving a telephone number, having Google SMS a code, then re-entering the code. My App Engine code was mistakenly uploaded into the wrong Premiere Edition account and verification was done from my cell. Now I can't use my cell to request another verification code for the correct test domain that should have been used originally. I try using another cell phone, but Google will not SMS that phone for a code to my second test account. So, I have no app uploaded, I can't verify my test domain, and I can't get Google to verify my test domain. I can't get any support to wipe my accounts out to start all over again. Other than to go to another vendor than Google, does anyone have a suggestion? Evidently there is a difference between accounts when it comes to getting into an admin status board for an App Engine running on appspot.com. I cannot get into any monitoring page from any account I have. I need to know how to get into the monitoring, log status, views, resources used, etc, pages that apply to my improperly uploaded app. Is there a url that will get me into these pages, because I have tried a number of times from my admin panel in my account to get into them and all it does is take me to the url page for the App Engine. Lastly, is there a tutorial or a piece of Google documentation that will show me, step by moronic step, the way to upload an application? I would like an explanation of what accounts to use, what email/gmail/ app accounts to use or to avoid, what is the impact of using the wrong account, what Google code is verifying when an upload takes place, etc. This process is very unforgiving and once a mistake is made, it seems all the work and money put into establishing service is thrown into the wind. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: is gaeutilities sessions the only 3rd party session manager?
aah, i see. On Jan 23, 10:08 am, "bowman.jos...@gmail.com" wrote: > Yea but R would be rotated every 15 seconds which would decrease the > window in which a session is really valid by a large margin.That's why > the session token needs to be tied to every account. > > On Jan 23, 1:04 am, jeremy wrote: > > > "What I see as a concern with your approach is what happens when the > > server wide variable R gets out of sync with someone's version that > > was crypted based off of it? The original reason the 3 valid token set > > " > > > that's why i mention that "you can store the last 3 values of R as is > > done now for eachsessionssid" - so all 3 would be tried as is done > > now with the sid list on each session entity. you could also count how > > often R has been randomized and hand this iteration index to the > > client as part of the token. > > > i'm not sure about going primarily with memcache - isn't memcache > > designed only to be a caching layer? memcache isn't volatile in the > > sense of being either up or down. rather, it throws out stored data > > "randomly" as far as the developer is concerned as load increases. > > > On Jan 23, 1:37 am, "bowman.jos...@gmail.com" > > > wrote: > > > By the way, I really am not concerned with analysis attacks. It's > > > sniffing/spoofing attacks that are most common for session hijacking. > > > I simply sniff the network and find out what the name and value of the > > > cookie are, and what user agent you are sending. I then duplicate > > > those 2 things and if I'm behind the same NAT as you, I have your > > > session loaded up in my browser. If I'm any good a social hacking, I > > > set my page to auto refresh and then distract you by talking to you > > > until I have your full session by rotating the session tokens past the > > > point of where the one in your browser is invalid, and more than > > > likely the application will make log back in, without logging me out. > > > This is where you may want to consider tieing the session directly to > > > a user account, so a user can only be logged in once at any time, and > > > logging invalidates the current log in if it exists, ie: > > > active_session field on your user model. > > > > Just some late night thoughts when I really should be asleep. > > > > On Jan 22, 11:12 pm, jeremy wrote: > > > > > Hmm, I'm not sure what "session timing" is. > > > > > I have an idea to reduce writes. Instead of updating the sid of every > > > > session individually, give each session a random value between 0 and > > > > C, and have one application-wide value R randomized every > > > > session_token_ttl seconds to an integer between 0 and C, then hand the > > > > client the value of this as a token: > > > > > t = (session_id+R)%C > > > > > then when a client hands the server a token, you can compute > > > > session_id = (t-R)%C > > > > > (you can store the last 3 values of R as is done now for eachsessions > > > > sid) > > > > > I'm pretty sure there's no analysis attack that would allow a client > > > > to figure out either R at any moment or their own (constant) > > > > session_id. But, i could be wrong about that :\ ... The advantage > > > > would be you're only updating a single datastore entity every > > > > session_token_ttl. > > > > > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com" > > > > > wrote: > > > > > I've gone with a different approach that currently achieves similar > > > > > results, that's now available in the trunk. A new variable, > > > > > last_activity_update has been added. It's the amount of seconds that > > > > > needs to pass before that field needs to be updated by doing a put(). > > > > > It defaults to 60 seconds, which of course is longer than the duration > > > > > before a put is required to update the session token with the default > > > > > settings. > > > > > > This will allow developers who wish to lengthen their > > > > > session_token_ttl to a larger interval to still get their > > > > > last_activity update in, useful for session timing. It too is > > > > > customizable so for developers who have no use for this field can set > > > > > it to a large enough number to be irrelevant. > > > > > > I'm trying to flush out an idea I have to limit the amount of writes > > > > > for the token even further, but am still researching it. If I figure > > > > > it out I will get it in and do another release. Otherwise I will > > > > > release what's there now. Before any release I want to go over the > > > > > refactoring you did as it does look more efficient than what I > > > > > currently have, thanks. > > > > > > On Jan 22, 6:31 pm, jeremy wrote: > > > > > > > Ok. I actually modified Session.__init__ locally to do the > > > > > > last_activity on sid rotation (i also refactored it a bit to reduce > > > > > > repeated code blocks). Regarding google.com's SID cookie - i'm not > > > > > > seeing the sid update within minutes. I'm not sure why yours rotates > > > > > > so quickly, but it's somethin
[google-appengine] Google App Engine with ClientLogin Interface
I seem to be able to get the "Auth" token correctly, but attempts to use it in the header when I access later pages still just return me the login page's HTML. >From what I understand from previous posts, I need to make a call to http://yourapp.appspot.com/_ah/login?auth=myauthtoken wihich will then give me an ACSID cookie which then needs to be passed in subsequent calls in order to maintain an authenticated state. I'm not able to retrieve this cookie programmatically and I do not see this cookie being set when I simply put that url in a web browser and trace the cookies being set. What gives? ps. i'm doing this objective-c and can provide code if that helps. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Custom Login System
"Javascript on your login form should first hash the password, then hash the result with a salt - say the session id" I assume that's only true if I opt out of SSL? "That way the contents of the cookie are no use to anyone, all useful info is stored in memcache, where attackers can't get it." But can't the attackers simply spoof a request with that session id in the cookies? On Jan 23, 4:01 pm, Greg wrote: > First, if you are not a security expert, consider using Django's > authentication framework. Online security is not easy - there are a > lot of things you have to get right, and missing just one of them > means you've failed. > > I have a reasonable amount of experience with online security, so I > built my own authentication system on top of gmemsess, a memchache- > backed session object. Unfortunately my code isn't modular enough to > publish, but here are a few pointers... > > - SSL is always good, because it means anyone with access to your > comms can't easily see what you are doing. However, it isn't crucial, > as long as your customers can live with the unlikely event of someone > sniffing their traffic - a good authentication scheme will prevent > attackers sniffing passwords, although everything they do after > logging in may be visible. > > - Cookies are far more convenient than trying to pass a session ID > with every request. Your cookie should contain a single random ID, > which your app then uses to find the session object in memcache. That > way the contents of the cookie are no use to anyone, all useful info > is stored in memcache, where attackers can't get it. > > - Store a hash of the password on appengine, not the password itself. > This means admin cannot steal passwords, as well as allowing for safe > transport of the password. > > - Javascript on your login form should first hash the password, then > hash the result with a salt - say the session id. The extra salted > hash prevents a sniffer from simply sending the hash to login, and > also guards against using rainbow tables to discover the password. > Make sure you destroy the field containing the original password, so > it isn't sent in clear along with the hash! > > - On appengine, hash the stored password hash with the salt and > compare with the sent hash - they should be the same. > > - I usually disable the account if I get three wrong passwords, to > prevent dictionary attacks. This requires some admin work to handle > users who've been locked out, but means you don't need to implement > captchas. > > - Authentication is only the first step - you need to keep security at > the top of your agenda throughout the whole application. For instance, > if you have a url like fox.delete?id=123 that deletes a user's fox, > always check that 123 actually belongs to this user. Otherwise users > could delete other user's foxes by retyping the url. > > gmemsess is athttp://code.google.com/p/gmemsess/ > > Cheers! > Greg. > > On Jan 24, 8:42 am, MajorProgamming wrote: > > > I am currently working on a App that requires that I use a custom sign > > in method. > > > I was wondering if there are any security flaws I should be aware > > of... > > > Also: > > > I was wondering if I must use SSL for proper security? > > > Is the best way to maintain sessions through using cookies? > > > Do I have to perform some sort of check on the cookie even though I'm > > using SSL? If so should I maybe use a separate hash cookie? > > > Is directly writing cookies to the "set-cookie" header and retrieving > > them by parsing the "cookie" header, okay? Or is there a security flaw > > I should be aware of? > > > Thanks for all your help! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Custom Login System
Typically, or at least in my experience, salting is md5/sha1/whatever(password+salt) rather than md5(md5(password)+salt) ... Thanks- - Andy Badera - and...@badera.us - (518) 641-1280 - Tech Valley Code Camp 2009.1: http://www.techvalleycodecamp.com/ - Google me: http://www.google.com/search?q=andrew+badera On Fri, Jan 23, 2009 at 4:01 PM, Greg wrote: > > First, if you are not a security expert, consider using Django's > authentication framework. Online security is not easy - there are a > lot of things you have to get right, and missing just one of them > means you've failed. > > I have a reasonable amount of experience with online security, so I > built my own authentication system on top of gmemsess, a memchache- > backed session object. Unfortunately my code isn't modular enough to > publish, but here are a few pointers... > > - SSL is always good, because it means anyone with access to your > comms can't easily see what you are doing. However, it isn't crucial, > as long as your customers can live with the unlikely event of someone > sniffing their traffic - a good authentication scheme will prevent > attackers sniffing passwords, although everything they do after > logging in may be visible. > > - Cookies are far more convenient than trying to pass a session ID > with every request. Your cookie should contain a single random ID, > which your app then uses to find the session object in memcache. That > way the contents of the cookie are no use to anyone, all useful info > is stored in memcache, where attackers can't get it. > > - Store a hash of the password on appengine, not the password itself. > This means admin cannot steal passwords, as well as allowing for safe > transport of the password. > > - Javascript on your login form should first hash the password, then > hash the result with a salt - say the session id. The extra salted > hash prevents a sniffer from simply sending the hash to login, and > also guards against using rainbow tables to discover the password. > Make sure you destroy the field containing the original password, so > it isn't sent in clear along with the hash! > > - On appengine, hash the stored password hash with the salt and > compare with the sent hash - they should be the same. > > - I usually disable the account if I get three wrong passwords, to > prevent dictionary attacks. This requires some admin work to handle > users who've been locked out, but means you don't need to implement > captchas. > > - Authentication is only the first step - you need to keep security at > the top of your agenda throughout the whole application. For instance, > if you have a url like fox.delete?id=123 that deletes a user's fox, > always check that 123 actually belongs to this user. Otherwise users > could delete other user's foxes by retyping the url. > > gmemsess is at http://code.google.com/p/gmemsess/ > > Cheers! > Greg. > > On Jan 24, 8:42 am, MajorProgamming wrote: > > I am currently working on a App that requires that I use a custom sign > > in method. > > > > I was wondering if there are any security flaws I should be aware > > of... > > > > Also: > > > > I was wondering if I must use SSL for proper security? > > > > Is the best way to maintain sessions through using cookies? > > > > Do I have to perform some sort of check on the cookie even though I'm > > using SSL? If so should I maybe use a separate hash cookie? > > > > Is directly writing cookies to the "set-cookie" header and retrieving > > them by parsing the "cookie" header, okay? Or is there a security flaw > > I should be aware of? > > > > Thanks for all your help! > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Custom Login System
First, if you are not a security expert, consider using Django's authentication framework. Online security is not easy - there are a lot of things you have to get right, and missing just one of them means you've failed. I have a reasonable amount of experience with online security, so I built my own authentication system on top of gmemsess, a memchache- backed session object. Unfortunately my code isn't modular enough to publish, but here are a few pointers... - SSL is always good, because it means anyone with access to your comms can't easily see what you are doing. However, it isn't crucial, as long as your customers can live with the unlikely event of someone sniffing their traffic - a good authentication scheme will prevent attackers sniffing passwords, although everything they do after logging in may be visible. - Cookies are far more convenient than trying to pass a session ID with every request. Your cookie should contain a single random ID, which your app then uses to find the session object in memcache. That way the contents of the cookie are no use to anyone, all useful info is stored in memcache, where attackers can't get it. - Store a hash of the password on appengine, not the password itself. This means admin cannot steal passwords, as well as allowing for safe transport of the password. - Javascript on your login form should first hash the password, then hash the result with a salt - say the session id. The extra salted hash prevents a sniffer from simply sending the hash to login, and also guards against using rainbow tables to discover the password. Make sure you destroy the field containing the original password, so it isn't sent in clear along with the hash! - On appengine, hash the stored password hash with the salt and compare with the sent hash - they should be the same. - I usually disable the account if I get three wrong passwords, to prevent dictionary attacks. This requires some admin work to handle users who've been locked out, but means you don't need to implement captchas. - Authentication is only the first step - you need to keep security at the top of your agenda throughout the whole application. For instance, if you have a url like fox.delete?id=123 that deletes a user's fox, always check that 123 actually belongs to this user. Otherwise users could delete other user's foxes by retyping the url. gmemsess is at http://code.google.com/p/gmemsess/ Cheers! Greg. On Jan 24, 8:42 am, MajorProgamming wrote: > I am currently working on a App that requires that I use a custom sign > in method. > > I was wondering if there are any security flaws I should be aware > of... > > Also: > > I was wondering if I must use SSL for proper security? > > Is the best way to maintain sessions through using cookies? > > Do I have to perform some sort of check on the cookie even though I'm > using SSL? If so should I maybe use a separate hash cookie? > > Is directly writing cookies to the "set-cookie" header and retrieving > them by parsing the "cookie" header, okay? Or is there a security flaw > I should be aware of? > > Thanks for all your help! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: hiding private key
Hugo, I think I can save my secret key in a static file that is not "add"ed to the svn and I was told by David that everything (source, etc) is secreat that is committed to the appspot. So as long as the static file is not "add"ed to the svn, it's secure, isn't it? Thanks, On Jan 23, 2:03 pm, Hugo wrote: > Based on David's suggestion: you can upload a file that is not > included in your svn repository. Conceptually, it's like having a file > that you never "svn add" in your checked out source tree. (But that's > a little unsafe, if you assume checkouts are deletable, hence the idea > of keeping it in a safer place and making sure it gets included > through a script wrapping your upload command.) > > > Hugo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: django + GAE + app-engine-patch + i18n (+ Mac)
Well as I said I installed the getttext package from Fink (archive of Mac GNU packages, etc.). It didn't come with xgettext, and there's no xgettext on my system other than "xgettext.pl" in the Apple developer folders. When I symlinked that as "xgettext", I got a bunch of errors running makemessages anyway, so I'm not thinking it's the same. Is "xgettext" supposed to be part of gettext? Maybe somebody packaged it wrong... On Jan 23, 9:40 am, tcs 241 wrote: > Hello, > > I had the same error on WinXP. That is because 'GNU Gettext' is not > installed or not added in systems Path. I am Guessing it will be > similar case on Apple. > > Before using Django, try to run xgettext under Shell. > > Chef > > Free U.S. Immigration Guidehttp://visachoice.appspot.com > > On Jan 22, 3:49 am, boson wrote: > > > Anybody have luck with this combo: django + GAE + app-engine-patch + > > i18n ? > > > I'm on Mac OS X 10.5. First I had to get the gettext package from > > Fink. > > > But now still when I run "manage.py makemessages -l en", I get: > > > Error: errors happened while running xgettext on __init__.py > > /bin/sh: xgettext: command not found > > > Where would I get xgettext (what is it even), and how can I get i18n > > working? > > > Thank you. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Secure Feeds (RSS, ATOM)
Does anyone know of how to deal with secure feeds: For example, suppose I have a feed that should only give infromation to a user when s/he's logged in. What's the best (and most secure) way to implement this?:? Thanks, --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Custom Login System
I am currently working on a App that requires that I use a custom sign in method. I was wondering if there are any security flaws I should be aware of... Also: I was wondering if I must use SSL for proper security? Is the best way to maintain sessions through using cookies? Do I have to perform some sort of check on the cookie even though I'm using SSL? If so should I maybe use a separate hash cookie? Is directly writing cookies to the "set-cookie" header and retrieving them by parsing the "cookie" header, okay? Or is there a security flaw I should be aware of? Thanks for all your help! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Static File Questions
I don't mean when the user uploads files. I mean when I do (i.e. through appcfg.py). Does it hurt performance if GAE has like 700 static files from me...? On Jan 9, 4:34 pm, niklasr wrote: > example: upload a 2 MB file through a html form, split it serverside > into 2 or 3 parts, then store the parts as blobs of max 1 MB each. > It's inconvenient yet a method to serve large files with no difference > towards the client. > > On Jan 9, 8:36 pm, MajorProgamming wrote: > > > I'm not sure I understand you. Which question # were you trying to > > answer? > > > On Jan 9, 3:26 am, niklasr wrote: > > > > Reversibly breaking and remaking larger than 1MB files persistently > > > storing max 1 MB chunks, gae http get and post support the larger. The > > > gae http transport as it is handles larger files. The 1MB limit only > > > limits the entities, not the transport. > > > > On Jan 8, 11:59 pm, MajorProgamming wrote: > > > > > Just a few questions on static files: > > > > > 1. Does serving a static file cost CPU usage? > > > > > 2. Does having a large number of static files (let's say like 700) > > > > have _any_ effect on performance of page serving [similarly, does > > > > having a lot of mappings affect performance]? > > > > > 3. When a python script reads a file off the app's filesystem (like a > > > > template html file), is that any faster than a get_by_key on the > > > > datastore? [i.e. filesystem vs. bigtable performance]? > > > > > 4. Will the paid version of Google App Engine allow over 1000 files > > > > and/or larger than 1MB files (or entities)? > > > > > Thanks, --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: hiding private key
Based on David's suggestion: you can upload a file that is not included in your svn repository. Conceptually, it's like having a file that you never "svn add" in your checked out source tree. (But that's a little unsafe, if you assume checkouts are deletable, hence the idea of keeping it in a safer place and making sure it gets included through a script wrapping your upload command.) Another option would be to store your secret key in the datastore. That is the option I'm going for for my app. (Not secret keys necessarily, but configuration details that doesn't belong in public open-sourced svn.) Hugo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Google's Source Control Vision
On Jan 23, 1:33 am, GenghisOne wrote: > Does the current version of Google's App Engine vision address > distributed software development and source control? > > Or put more practically, how can a couple of distributed software > developers collaborate on a Google App? For instance, how can I pull > down the latest source and update it? You just store the code in any of the many online source control systems: code.google.com, sourceforge etc. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Google's Source Control Vision
AppEngine is for deployment. For development you can use what you like, e.g. GoogleCode, Github or whatever else best fit your needs. Roberto On Jan 22, 10:33 pm, GenghisOne wrote: > Does the current version of Google's App Engine vision address > distributed software development and source control? > > Or put more practically, how can a couple of distributed software > developers collaborate on a Google App? For instance, how can I pull > down the latest source and update it? > > Thx. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: App Engine Console 1.0beta3 released
Just downloaded it, and it plugged easily into my project. Looks great so far. Thanks! johnP On Jan 23, 12:28 am, Jason Smith wrote: > Hi, Group. > > I am pleased to announce the release of App Engine Console version > 1.0beta3. Please seehttp://con.appspot.com/for demos, documentation, > and downloads. > > App Engine Console is an interactive Python session running in the > server, which you use from a web browser. Designed to be embedded > within App Engine projects, the console assists developers with > testing and debugging their code and data in both development and > production settings. > > New changes to App Engine Console: > > * Support the SDK version 1.1.8 > * Full support for Firefox, Chrome, Safari, and Internet Explorer > browsers > * Several bug fixes and unit tests > > Thanks very much to everybody who has emailed me with bug reports, > comments, and other feedback. Future plans for App Engine Console > include persistent sessions, simultaneous sessions (i.e. > “copiloting”), and autocompletion; and I am eager to hear ideas from > other App Engine developers. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Value for db.GeoPtProperty()
Hi, You should be able to do this like: objB.bcoordinates = db.GeoPt(100.1, 41.1) -Marzia On Fri, Jan 23, 2009 at 12:26 PM, arnie wrote: > > Hi > In my data model class Business, I have one field named "bcoordinates" > that is of type db.GeoPtProperty. When I go to add an entry in > Business class through its object say objB > like this > objB.bcoordinates(100.1,41.1) > it does not work. it seems to me that this is wrong but i am not able > to point out how to do it? > Any idea? > Thanks > Arnie > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: django + GAE + app-engine-patch + i18n (+ Mac)
Hello, I had the same error on WinXP. That is because 'GNU Gettext' is not installed or not added in systems Path. I am Guessing it will be similar case on Apple. Before using Django, try to run xgettext under Shell. Chef Free U.S. Immigration Guide http://visachoice.appspot.com On Jan 22, 3:49 am, boson wrote: > Anybody have luck with this combo: django + GAE + app-engine-patch + > i18n ? > > I'm on Mac OS X 10.5. First I had to get the gettext package from > Fink. > > But now still when I run "manage.py makemessages -l en", I get: > > Error: errors happened while running xgettext on __init__.py > /bin/sh: xgettext: command not found > > Where would I get xgettext (what is it even), and how can I get i18n > working? > > Thank you. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] App Engine flaky?
Hello! I uploaded the first version of my app yesterday, and at once I had problems with db errors: the same request (add A, update a counter in B) raised an error three times in a row: A was added, but B was not updated for some reason until the fourth try. And on the fourth try everything went smoothly and I ended up with four new A objects and only one "trace" of the operation in the counter in B. I'm 100% sure that the requests were the same, and I have never saw this error on the local machine. I can't replicate the issue today, but now my gmail account is unusually buggy. So my question: was it a one-off issue with App Engine/new upload, and I should expect it to work smoothly 99.9% of the time, or should I re- design my app in expectation of frequent server-side errors? If it is the second, how do I wrap the operation cites above (add object A, update a counter in object B) in a transaction? Transactions are a bit weak in App Engine... Thanks for you help! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Pyton 3 and google_appengine error
Hi, Google App Engine does not work with Python 3. You will need Python 2.5 for Google App Engine. -Marzia On Fri, Jan 23, 2009 at 9:10 AM, jassy wrote: > > hi > Please help > > i have installed Pyton 3 and google_appengine. and trying to run the > first sample of hello world gives me the following error can any one > help me with it . > > F:\Program Files\Google\google_appengine>dev_appserver.py helloworld > Traceback (most recent call last): > File "F:\Program Files\Google\google_appengine\dev_appserver.py", > line 60, in > >run_file(__file__, globals()) > File "F:\Program Files\Google\google_appengine\dev_appserver.py", > line 57, in > run_file >execfile(script_path, globals_) > NameError: global name 'execfile' is not defined > > thanks > jasmeet singh > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Marzia Please Help with Account ID Problems!
Hi, Please send me the apps and email address involved. -Marzia On Thu, Jan 22, 2009 at 11:49 PM, Devel63 wrote: > > Hi Marzia, > > I cannot successfully invite developers to an app using Google Apps > authentication: when the invited developer clicks on the Apps > confirmation link, they get an error page. > > If instead of inviting a developer from the Apps domain to which I > restricted the app, I invite a developer from a different Apps domain, > it works! > > It's possible I unwittingly screwed up this whole account. One app > accepts Google IDs, and the other accepts Google App IDs. But I just > realized that the although the entire account is "owned" by a standard > Google ID, I've been using as a developer login an account that exists > both as a Google ID and as a Google Apps ID. > > I sure could use some help straightening this out! If we could take > this offline, I can give you the account IDs and email addresses > involved. > > Thanks, > Dan > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] App Engine Console 1.0beta3 released
Hi, Group. I am pleased to announce the release of App Engine Console version 1.0beta3. Please see http://con.appspot.com/ for demos, documentation, and downloads. App Engine Console is an interactive Python session running in the server, which you use from a web browser. Designed to be embedded within App Engine projects, the console assists developers with testing and debugging their code and data in both development and production settings. New changes to App Engine Console: * Support the SDK version 1.1.8 * Full support for Firefox, Chrome, Safari, and Internet Explorer browsers * Several bug fixes and unit tests Thanks very much to everybody who has emailed me with bug reports, comments, and other feedback. Future plans for App Engine Console include persistent sessions, simultaneous sessions (i.e. “copiloting”), and autocompletion; and I am eager to hear ideas from other App Engine developers. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Pyton 3 and google_appengine error
hi Please help i have installed Pyton 3 and google_appengine. and trying to run the first sample of hello world gives me the following error can any one help me with it . F:\Program Files\Google\google_appengine>dev_appserver.py helloworld Traceback (most recent call last): File "F:\Program Files\Google\google_appengine\dev_appserver.py", line 60, in run_file(__file__, globals()) File "F:\Program Files\Google\google_appengine\dev_appserver.py", line 57, in run_file execfile(script_path, globals_) NameError: global name 'execfile' is not defined thanks jasmeet singh --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] NonAuthSubToken when trying to access google contacts API
I have a problem authorizing my application and user to read my own google contacts. I am using gdata.py-1.2.4 library and did everything as outlined in documentation. Here is a brief description of what I did: I was trying to adapt code from article "Using the YouTube Data API with App Engine and the Python client library". 1. Scope of the auth. request:'http://www.google.com/m8/feeds/' 2. I was correctly redirected to google auth page and enter username then grand permission to use 3. I received redirect request with token parameter 4. I try to upgrade token to session token, and received error in UpgradeToSessiontoken method. self.client.auth_token = self.token #self.client.SetAuthSubToken(self.token) self.client.UpgradeToSessionToken() I do have entry of my username after self.current_user = users.GetCurrentUser() Error message is: Traceback (most recent call last): File "/Applications/GoogleAppEngineLauncher.app/Contents/Resources/ GoogleAppEngine-default.bundle/Contents/Resources/google_appengine/ google/appengine/ext/webapp/__init__.py", line 498, in __call__ handler.get(*groups) File "/Users/edvorkin/Documents/workspace/contactManager2/src/ contact.py", line 62, in get self.UpgradeAndStoreToken() File "/Users/edvorkin/Documents/workspace/contactManager2/src/ contact.py", line 125, in UpgradeAndStoreToken self.client.UpgradeToSessionToken() File "/Users/edvorkin/Documents/workspace/contactManager2/src/gdata/ service.py", line 860, in UpgradeToSessionToken raise NonAuthSubToken NonAuthSubToken Please help My source code: class AuthSub(webapp.RequestHandler): def __init__(self): self.current_user = None self.client = None self.token = None self.feed_url = 'http://www.google.com/m8/feeds/contacts/edvorkin %40gmail.com/full' self.youtube_scope = 'http://www.google.com/m8/feeds/' self.developer_key = None self.client = gdata.contacts.service.ContactsService() def get(self): self.my_app_domain = 'http://' + self.request._environ ['HTTP_HOST'] self.response.out.write(""" hello_authsub: AuthSub demo """) self.current_user = users.GetCurrentUser() self.response.out.write('') # Split URL parameters if found for param in self.request.query.split('&'): if param.startswith('token'): self.token = param.split('=')[1] elif param.startswith('feed_url'): self.feed_url = urllib.unquote_plus(param.split('=')[1]) if self.current_user: self.response.out.write('Sign Out' % ( users.CreateLogoutURL(self.request.uri))) if self.LookupToken(): self.response.out.write('') self.FetchFeed() self.response.out.write('') else: # Check if a one-time use token was passed in the URL parameters if self.token: self.UpgradeAndStoreToken() self.redirect('/') else: self.response.out.write(' ' 'Request a token') self.response.out.write('Contact API' % ( self.client.GenerateAuthSubURL( self.my_app_domain, self.youtube_scope, secure=False, session=True)) ) else: self.response.out.write('Sign In' % ( users.CreateLoginURL(self.request.uri))) def UpgradeAndStoreToken(self): self.client.auth_token = self.token #self.client.SetAuthSubToken(self.token) self.client.UpgradeToSessionToken() if self.current_user: new_token = StoredToken(user_email=self.current_user.email(), session_token=self.client.GetAuthSubToken()) new_token.put() def LookupToken(self): if self.current_user: stored_tokens = StoredToken.gql('WHERE user_email = :1', self.current_user.email()) for token in stored_tokens: self.client.auth_token = token.session_token return True def main(): application = webapp.WSGIApplication([('/.*', AuthSub),], debug=True) wsgiref.handlers.CGIHandler().run(application) if __name__ == '__main__': main() --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Flash ExternalInterface and GAE
I've been struggling with this for the past couple hours now and I really don't know what could be wrong. I'm simply trying to get Javascript to communicate text with Flash. I found this great example with this source http://blog.circlecube.com/wp-content/uploads/2008/02/ActionscriptJavascriptCommunication.zip I ran the html file locally and it works just fine sending and retrieving text from flash. Then I load that same exact sample into my dev google app server and I can't send the text from javascript to flash. Oddly enough though flash is able to send Javascript text. Can anybody see if they can get this running with GAE? Thanks a million! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Google's Source Control Vision
Does the current version of Google's App Engine vision address distributed software development and source control? Or put more practically, how can a couple of distributed software developers collaborate on a Google App? For instance, how can I pull down the latest source and update it? Thx. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] How to append to BlobProperty
Hi all, I'd like to append a byte string to a db.BlobProperty, but can't figure out how. For example, class Storage(db.Model) blob = db.BlobProperty() def append(s, ext) s.blob += ext# want something like this I've tried to construct a db.Blob, like this: tmp = db.Blob(s.blob) but failed because db.Blob's constructor only takes a str object. Any ideas? Thanks in advance. Will --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Is there some sort of cookie issued by google apps can take advantage of for sessions?
I've added this as issue 1010 - http://code.google.com/p/googleappengine/issues/detail?id=1010 On Jan 22, 9:15 pm, "bowman.jos...@gmail.com" wrote: > There's been some ongoing discussion about the approach I and others > have been taking to session management in our appengine applications. > I always rank security over performance, but with how heavy datastore > writes are, this can be problematic and eventually expensive for > applications. > > I've been thinking though, since users can log in with their Google > accounts using the User API google offers, I was wondering if there > was a layer to this that could be tied into for all applications, > whether they choose to implement the full stack for user management? > > Since we can host our own domains, I'm assuming that Google has > figured out a way to tie their own cookies into being readable through > the stack somehow? While I respect the fact you may not want to go > into detail how the full process works, I was wondering if the User > API could be expanded to allow applications to whatever identifier > you're using client side to uniquely identify browser sessions? This > would then allow the various developers working on their own session > implementations to build off of that to maintain session state, and > gain the security of a real revolving session token that doesn't > require a put. > > A full API for session data management doesn't need to be provided, > thought it would be nice. Just access to a token that I'm assuming > somehow exists. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine ] Re: 网页中有汉字, 就会产生错误,不知是啥 原因
Well, my app has Chinese character too, but it works good Try specify encoding in py file and good luck On Jan 22, 2009, at 5:53 PM, 网页中有汉字,就会产生错误,不知是啥原因 wrote: > > this code right in local development environment, but error on update > to server. > > import wsgiref.handlers > from google.appengine.ext import webapp > > class MainPage(webapp.RequestHandler): > def get(self): >self.response.headers['Content-Type'] = 'text/html; charset=utf-8' >self.response.out.write('Hello, have no thing,有了 > 汉字就不 > 灵了?') > > def main(): > application = webapp.WSGIApplication( >[('/', MainPage)], > debug=True) > wsgiref.handlers.CGIHandler().run(application) > > if __name__ == "__main__": > main() > > > > Error: Server Error > > The server encountered an error and could not complete your request. > If the problem persists, please report your problem and mention this > error message and the query that caused it. > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Value for db.GeoPtProperty()
Hi In my data model class Business, I have one field named "bcoordinates" that is of type db.GeoPtProperty. When I go to add an entry in Business class through its object say objB like this objB.bcoordinates(100.1,41.1) it does not work. it seems to me that this is wrong but i am not able to point out how to do it? Any idea? Thanks Arnie --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Cant start my helloworld sample
Thanks Joel. Now it works. Thank you again On Jan 22, 1:56 am, Joel Odom wrote: > Read the error message closely. You misspelled python. > > > > On Wed, Jan 21, 2009 at 11:44 AM, ahYeop wrote: > > > Hi all, > > > I follow the Hello World guide but still have problem to start Apps > > Engine. Here is the error: > > > C:\Program Files\Google\google_appengine>dev_appserver.py helloworld/ > > ERROR 2009-01-21 16:40:27,203 dev_appserver_main.py] Fatal error > > when loading > > application configuration: > > Unable to assign value 'pyhton' to attribute 'runtime': > > Value 'pyhton' not in {'python': 'python'}. > > in "helloworld/app.yaml", line 3, column 10 > > > what is the problem? > > --http://giscoder.blogspot.com/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: is gaeutilities sessions the only 3rd party session manager?
Yea but R would be rotated every 15 seconds which would decrease the window in which a session is really valid by a large margin.That's why the session token needs to be tied to every account. On Jan 23, 1:04 am, jeremy wrote: > "What I see as a concern with your approach is what happens when the > server wide variable R gets out of sync with someone's version that > was crypted based off of it? The original reason the 3 valid token set > " > > that's why i mention that "you can store the last 3 values of R as is > done now for each sessions sid" - so all 3 would be tried as is done > now with the sid list on each session entity. you could also count how > often R has been randomized and hand this iteration index to the > client as part of the token. > > i'm not sure about going primarily with memcache - isn't memcache > designed only to be a caching layer? memcache isn't volatile in the > sense of being either up or down. rather, it throws out stored data > "randomly" as far as the developer is concerned as load increases. > > On Jan 23, 1:37 am, "bowman.jos...@gmail.com" > > wrote: > > By the way, I really am not concerned with analysis attacks. It's > > sniffing/spoofing attacks that are most common for session hijacking. > > I simply sniff the network and find out what the name and value of the > > cookie are, and what user agent you are sending. I then duplicate > > those 2 things and if I'm behind the same NAT as you, I have your > > session loaded up in my browser. If I'm any good a social hacking, I > > set my page to auto refresh and then distract you by talking to you > > until I have your full session by rotating the session tokens past the > > point of where the one in your browser is invalid, and more than > > likely the application will make log back in, without logging me out. > > This is where you may want to consider tieing the session directly to > > a user account, so a user can only be logged in once at any time, and > > logging invalidates the current log in if it exists, ie: > > active_session field on your user model. > > > Just some late night thoughts when I really should be asleep. > > > On Jan 22, 11:12 pm, jeremy wrote: > > > > Hmm, I'm not sure what "session timing" is. > > > > I have an idea to reduce writes. Instead of updating the sid of every > > > session individually, give each session a random value between 0 and > > > C, and have one application-wide value R randomized every > > > session_token_ttl seconds to an integer between 0 and C, then hand the > > > client the value of this as a token: > > > > t = (session_id+R)%C > > > > then when a client hands the server a token, you can compute > > > session_id = (t-R)%C > > > > (you can store the last 3 values of R as is done now for each sessions > > > sid) > > > > I'm pretty sure there's no analysis attack that would allow a client > > > to figure out either R at any moment or their own (constant) > > > session_id. But, i could be wrong about that :\ ... The advantage > > > would be you're only updating a single datastore entity every > > > session_token_ttl. > > > > On Jan 22, 9:24 pm, "bowman.jos...@gmail.com" > > > > wrote: > > > > I've gone with a different approach that currently achieves similar > > > > results, that's now available in the trunk. A new variable, > > > > last_activity_update has been added. It's the amount of seconds that > > > > needs to pass before that field needs to be updated by doing a put(). > > > > It defaults to 60 seconds, which of course is longer than the duration > > > > before a put is required to update the session token with the default > > > > settings. > > > > > This will allow developers who wish to lengthen their > > > > session_token_ttl to a larger interval to still get their > > > > last_activity update in, useful for session timing. It too is > > > > customizable so for developers who have no use for this field can set > > > > it to a large enough number to be irrelevant. > > > > > I'm trying to flush out an idea I have to limit the amount of writes > > > > for the token even further, but am still researching it. If I figure > > > > it out I will get it in and do another release. Otherwise I will > > > > release what's there now. Before any release I want to go over the > > > > refactoring you did as it does look more efficient than what I > > > > currently have, thanks. > > > > > On Jan 22, 6:31 pm, jeremy wrote: > > > > > > Ok. I actually modified Session.__init__ locally to do the > > > > > last_activity on sid rotation (i also refactored it a bit to reduce > > > > > repeated code blocks). Regarding google.com's SID cookie - i'm not > > > > > seeing the sid update within minutes. I'm not sure why yours rotates > > > > > so quickly, but it's something entirely configurable in your code so > > > > > it shouldn't matter. Anyway, here's my version of Session.__init__ : > > > > > > def __init__(self, cookie_path=DEFAULT_COOKIE_PATH, > > > > > cookie_name=CO
[google-appengine] Re: Can I See Google Product Ideas Code?
yeah, i realized that shortly after posting the question... now I wish I could see the moderator code, seems like one hell of a powerful tool thanks anyway though barry On Jan 20, 2:51 pm, "Barry Hunter" wrote: > 'Productideas' seems to be just an adaptation of Google Moderator > > http://moderator.appspot.com/ > > And AFAIK appspot.com is App Engine, so everything thats a subdomain > of appspot is almost certainly App Engine based. > > See:http://googleappengine.blogspot.com/2008/09/introducing-google-modera... > as its based on an internal tool, I dont think the code is available. > > the good(ish) news is you can use Google Moderator for yourself. > > 2009/1/19 sweed : > > > > > > > Hi everyone > > > I've recently started experimenting with App Engine and love it so > > far. > > > My question is two-fold, first, is GoogleProductIdeas > > (productideas.appspot.com) written using App Engine? > > > Second, is there any way that I can view the code behind this App? > > > I want to create something similar and would love to be able to learn > > from the devs themselves. > > -- > Barry > > -www.nearby.org.uk-www.geograph.org.uk- --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Django, including a file
Has anyone got include working? I've been searching everywhere but find any simple examples of AppEngine including templates! On Jan 22, 4:58 pm, Larry wrote: > Thanks, but I really just want to use includes. > > On Jan 22, 4:52 pm, djidjadji wrote: > > > Have you looked at template-inheritance. > > I use it and it works great. It's more flexible then {% include %} > > >http://docs.djangoproject.com/en/dev/topics/templates/#template-inher.. > > > Make sure title.html is not a static file. > > > 2009/1/22 Larry : > > > > Well I have some templates that I render and they all have a titlebar > > > so I would like to include that snippet from another file. I put that > > > in a file named title.html and use the code: > > > > {% include "title.html" %} > > > > wherever I want it. However, that the template is rendered without the > > > title HTML included! I'm sure this must be easy but I'm probably > > > missing something. > > > > What do I need to change to get this to work? > > > > Thanks, > > > Larry > > > > PS: I have already > > > checkhttp://docs.djangoproject.com/en/dev/ref/templates/builtins/?from=old... > > > to no avail. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: What means "Deployment" ???
Thank you very much and have a nice day On Jan 22, 6:12 pm, Dan Sanderson wrote: > A "deployment" is the act of uploading your app to App Engine using the > "appcfg.py update ..." command. You are allowed to upload an app up to 250 > times every 24 hours (1 day). > For other definitions of quotas, see the documentation: > http://code.google.com/appengine/docs/quotas.html > > -- Dan > > On Thu, Jan 22, 2009 at 2:09 AM, Yeradis wrote: > > > Hello and good day to everybody > > > Sorry by my english > > > I have a question: > > > What means Deployments > > > It appear under "Quota Details" menu and the end of all of the page > > > This number is the avalilable possible deployment a day ? > > > Thanks > > > With no more > > Bye bye --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: What means "Deployment" ???
Thank you very much and have a nice day On Jan 22, 11:11 am, Qian Qiao wrote: > On Thu, Jan 22, 2009 at 18:09, Yeradis wrote: > > > Hello and good day to everybody > > > Sorry by my english > > > I have a question: > > > What means Deployments > > > It appear under "Quota Details" menu and the end of all of the page > > > This number is the avalilable possible deployment a day ? > > > Thanks > > > With no more > > Bye bye > > It's the number of times you can deploy your app to appengine's > servers with appcfg.py each day. > > -- Joe --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: dev_appserver.py helloworld invalid arguments XP
C:\Programme\Google\google_appengine>dev_appserver.py C:\Programme \Google\google_appengine\helloworld Invalid arguments It doesn't work. What is my mistake??? On 22 Jan., 19:00, dartdog wrote: > See:http://tombrander.wordpress.com/2008/12/28/getting-started-with- > google-app-engine-hello-world/ > This below is what I used: but more description on my site above! > > dev_appserver.py C:\Users\DadLaptop\Documents\Helloworld > > On Jan 22, 1:18 am, niels wrote: > > > Hello, > > > I cannot start dev_appserver.py. What is my mistake? > > > location programm dev_ appserver.py: C:\Programme\Google > > \google_appengine > > location helloworld folder: C:\Programme\Google\google_appengine > > in the helloworld folder are app.yaml and helloworld.py > > > C:\Programme\Google\google_appengine>dev_appserver.py helloworld\ > > Invalid arguments > > > or > > > C:\Programme\Google\google_appengine>dev_appserver.py helloworld/ > > Invalid arguments > > > or > > > C:\Programme\Google\google_appengine>dev_appserver.py helloworld > > Invalid arguments --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---
[google-appengine] Re: Caching using global variables
That decorator is really neat! Especially the part where it ignores cache when debugging =) Thanks for the link! And thanks for your input, I'll consider doing something like that and then we'll just see how it goes once my application starts taking visitors =) - Andreas Blixt On Jan 22, 9:58 pm, Mahmoud wrote: > Maybe you can use both your approach+memcache. Look for stuff in the > local cache first. If not found, go to memcache, if not found, then > load from the datastore. This can be neatly hidden in a decorator. > See:http://appengine-cookbook.appspot.com/recipe/decorator-to-getset-from... > > -Mahmoud > > On Jan 22, 11:13 am, Blixt wrote: > > > > > Yup, I know, that's what brings forth my questions about the large- > > scale behavior of in-memory caching. Will the instances be recreated > > too often for it to be more effective than memcache? Will there be too > > many instances at a time for it to be more effective? > > > I also rewrote the code to use proper programming conventions, before > > someone tells me off for my unconventional code ;) The new code is > > here:http://paste.blixt.org/3382 > > > - Andreas Blixt > > > On Jan 22, 5:08 pm, Tony Arkles wrote: > > > > The big difference between in-memory caching and memcache caching is > > > that memcache data is shared between all of your running instances, > > > but in-memory caching is on a per-instance basis. > > > > On Jan 22, 9:52 am, Blixt wrote: > > > > > Hi there, > > > > > I've been playing with caching using global variables > > > > (seehttp://tack.appspot.com/ > > > > for my plaything) and would like some input on the following > > > > approach:http://paste.blixt.org/3381 > > > > > You would use the above code like this: > > > > > > def get_recent_posts(): > > > > > if cache.recent_posts.is_current(): > > > > > return cache.recent_posts.data > > > > > > posts = [] > > > > > # ... Populate 'posts' here ... > > > > > cache.recent_posts.set(posts) > > > > > > return posts > > > > > I'm sure lots of you have experimented with caching in global > > > > variables. How often does the running instance shut down (requiring > > > > the cache to be rebuilt)? How many instances does it create during > > > > heavy load (each instance has separate variables of course, while > > > > memcache shares its data across all instances.) > > > > > I've found that using global variables instead of memcache is > > > > considerably faster when reloading the same data a few times, but I > > > > cannot currently test this on a larger scale, which is why I'm turning > > > > to you guys. > > > > > Thanks, > > > > Andreas Blixt --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~--~~~~--~~--~--~---