tags:

views:

105

answers:

2
+1  Q: 

Custom user authentication. How is it done, with the best practices?

I'm using Google Engine App with Python. I want to add custom user authentication. How is it done, with the best practices?

I want custom authentication because the app is built in Flex and I don't want to redirect to an HTML page.

The user value object is like this:

class User(db.Model):
   email = db.EmailProperty(required = True, indexed = True)
   masked_password = db.StringProperty(required = True)
   # maybe more things here

I would like to mask the password, is there some built in function in GAE?

Then, how I will remember the current user? Through sessions and cookies? Or what else?

+2  A: 

Passwords:

The best way to handle the password is store a random salt value for each user and the result of a hash of the password + salt.

When the user wants to login, compute hash(password + salt) and see it if is the same as the hash value you stored when the password was originally set. The idea is never to store the password in cleartext and that two users with the same password won't have the same hashed value.

You can find many examples of this online and on SO.

Sessions:

There are many ways to implement sessions and using cookies is popular. I suggest you use one of the libraries already available for this purpose. See this comparison of libraries.

cope360  2010-07-27 18:39:21
thanks :D i only want to note that i saw in some place that using sessions in gae is not the way to go, so the question is: is there any faster and better alternatives? :)
Totty  2010-07-27 21:09:11
Do you need to associate every request that is received by your GAE app with a user? If so, you either need sessions or you need to authenticate every request from Flex. Can you be more specific about sessions "not being the way to go"?
cope360  2010-07-27 21:40:38
where I saw that, they said that there would be too many request to use session on every page requests. ( in my case i need to know about the current user on almost every request... )
Totty  2010-07-27 21:51:10
I am using gaeutilities right now, but looking at the comparison link provided by @cope360 I think I'll check gae-sessions out. It seems to be quite fast (and the code is small, good feature!)
Emilien  2010-07-28 08:15:02
+1  A: 

Don't implement your own authentication.

Mark the opening page as authentication required (ie "login: required" in the app.yaml) and then when they hit the front opening page they'll be be asked to authenticate before they even see your Flash/Flex app, or if they're already authenticated then they'll go straight into your app.

This avoids your Flash -> HTML -> Flash issue and lets you leverage the in-built proper authentication (my app keeps a table of user settings and permissions in the datastore but simply uses the GAE authenticated current user identity as a key)

Tim  2010-07-29 18:55:36

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.