Sysadmin by day, developer by night
Firesheep is an example of why gaeutilties session is so complicated

I always caught a lot of flack about how complicated Gaeutilities session is. There are ways to speed it up still, making it a decorator so all data saves really happen at the end of the request for example. However, one of the things slowing it down is it’s security implementation. Basically it creates a new token every x seconds to be stored in the user browser. Generally a token is valid for about 15 seconds if the user is constantly making new requests.

So, how does this prevent Firesheep from being a problem? Honestly, it really doesn’t. If you’re logged into a site, with that 15 second opening, someone could use Firesheep to sidejack that login. However, if the developer has written their application so that only 1 login is valid per use, then very quickly either the original user or the hijacker is going to find themselves not logged in.

Unless things have changed since I left appengine development, it doesn’t support https requests for hosted domains. This is why I made gaeutilities so complicated, because it’s a best effort to secure sessions, which none of the other libraries that choose to advertise as faster than gaeutilities provide. If Google ever figures out https hosting for hosted domains, then the real answer would be setting a secure cookie and hosting the more sensitive requests on https and dealing with the costs associated with that. Until that time though, I’m confident that Gaeutilties is your best chance for minimizing the risk of Firesheep hijacks.

Of course everything on Gaeutilties is configurable as well. That includes the amount of time a token is valid for as well as how many tokens to keep alive. So you really could decrease the amount of time that window is good for if your site architecture allows it. Really depends on how many requests you may be making at a time. Check the Session class docstring. Here’s a link to it on Github - http://github.com/joerussbowman/gaeutilities/blob/master/appengine_utilities/sessions.py#L400


Disclaimer: I’m not using appengine anymore, so am barely supporting Gaeutilties any more. However, if someone is really interested in stepping in to do more work on the project I’m more than willing to hand it over, provided credit for the original work by me be included in the future.

Disclaimer2: This post was written while I’m pretty darn sick with the flu, in the morning, so excuse grammatical errors and such please.

Posted 1 year ago
Comments (View)
blog comments powered by Disqus
Technorati Profile