tags:

views:

45

answers:

1
Q: 

Sending a password securely using gwt and app engine?

Hi,

I set up session handling on a google app project. This is supposed to allow my users to login and maintain state across pages. I just dumped it into the default greeting service to try it out:

public class GreetingServiceImpl extends RemoteServiceServlet implements GreetingService {
    public void sessionTest(String username) {
        HttpSession session = getThreadLocalRequest().getSession(false);
        session.setAttribute("username", username);
    }
}

then attempting to pull it out in my landing project.jsp page:

<%
String username = null;
HttpSession mysession = request.getSession(false);
if (mysession.getAttribute("username") != null) {
    username = (String)mysession.getAttribute("username");
}
else {
    username = "(not logged in yet)";
}

<p>You are: 
<%= username %>
</p>
%>

It works, but I don't know how to send the data in sessionTest() securely. If I were sending the user's password in there too, it would be in the clear.

This would be ok (I think) if I was using https, but google app engine does not allow you to use https under custom domains (like www.mysite.com), they have to be under the (mysite.appspot.com) domain.

I'm kind of stuck here - how do we send passwords securely? If I was using php, I think I could use digest authentication (I'm not too experienced here) - can we do something like that with gwt + gae?

Thanks

A: 

Session data is stored on the server, not on the client - only an opaque token is sent to the client, to identify the client's session.

That said, you probably shouldn't store the user's password in the session - why would you want to? - or, indeed, in the clear at all.

Nick Johnson  2010-04-21 11:00:40
Hi, yes totally agreed, but at some point to 'sign up' or 'login', the users password needs to be sent to the server, at least once. Thereafter the opaque session id can be used instead of sending the password around. It's this one time send I'm wondering about protecting. I see in the roadmap that https for third party sites is on deck, so that should solve this problem.
 2010-04-21 11:55:36

related questions

.html() jQuery method bizzare bug -   resolves to empty space locally, but not on production.
cron jobs on google appengine
How do I get the key value of a db.ReferenceProperty without a database hit?
Is Google App Engine a worthy platform for a Lifestreaming app?
Sure Google Appengine scales, but is it also fast?
Feedback on using Google App Engine?
Delete all data for a kind in Google App Engine
How can I unit test responses from the webapp WSGI application in Google App Engine?
How to think in data stores instead of databases?
How do you access an authenticated Google App Engine service from a (non-web) python client?
Google App Engine: how can I programmatically access the properties of my Model class?
Upload files in Google App Engine
How do you design data models for Bigtable/Datastore (GAE) ?
Anyone out there using web2py?
Which python framework is best for web development in google app engine?
How can I access App Engine through a Corporate proxy?
What's a good way to find relative paths in Google App Engine?
Any good AJAX framework for Google App Engine apps?
Python: No module named core.exceptions
Project structure for Google App Engine
Google App Engine: Is it possible to do a Gql LIKE query?
How to get the correct Content-Length for a POST request.
Deleting an Google App Engine application
Django Templates and variable attributes.
Graphing JavaScript Library