Reputation: 3652
App Engine session security issues
I am storing user state (logged in / user id) in sessions on app engine. Is it possible for users that know other users UserId to manipulate their cookies and login as other users.
What steps should I take to prevent this?
Upvotes: 1
Views: 273
Answers (2)
Reputation: 4119
It's not possible for one user to directly access data from another user. However, there are ways for one user to steal the login session of another user. But this isn't GAE specific.
See:
- http://en.wikipedia.org/wiki/Session_hijacking
- http://en.wikipedia.org/wiki/Cross-site_request_forgery (CSRF)
Hijacking can easily occur on an open wifi hotspot. A common solution is to host your site with SSL.
CSRF happens when a user is logged into your website and has a malicious website open in the same browser. There are various ways to protect against this. A common solution is to include a random validation token in HTML forms. Also, set HTTP response header: X-Frame-Options: sameorigin and check request header X-Requested-With isn't equal to "XMLHttpRequest" for non-ajax hits.
XSS can be used to make these attacks more effective, so protect against it too.
For these types of attacks in general, make your user sessions expire quickly.
Upvotes: 2
Reputation: 11706
I am not a security expert. But what I have learned:
- use HTTPS
- do not use frames
- use a new CSRF token in your forms for every request
- and save your state in the datastore instead of using a session cookie store.
Upvotes: 1
Related Questions
- How to deal with Sessions in Google App Engine?
- AppEngine and sessions
- How to use Session on Google app engine
- google app engine session
- Avoiding App Engine Authentication
- Java App Engine sessions without cookies
- Google AppEngine Session Example
- Sending the Session
- Using sessions in GAE/J
- App engine authentication