Issue 32 in gaeutilities: Secure Cookie Backend

0 views

Skip to first unread message

codesite...@google.com

unread,

Sep 14, 2009, 9:04:01 PM9/14/09

to appengine...@googlegroups.com

Updates:
Status: WontFix

Comment #1 on issue 32 by bowman.joseph: Secure Cookie Backend
http://code.google.com/p/gaeutilities/issues/detail?id=32

No way to accomplish this, you need something server side to compare the
tokens
against to make sure that the session isn't hijacked and run in parallel.
While
hijack is possible with the current implementation, either the hijacker or
victim
will find that their session ends as the tokens diverge. This is a good
reason to
keep the session token TTL as short as possible (default is 5 seconds).
Instead of
fixing this, I'm going to go back to the ROTModel approach I had
previously, except
it will focus on read instead of write.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

Reply all

Reply to author

Forward

0 new messages