Google AppEngine：自定义身份验证

我可以使用 Google 帐户在 AppEngine 中验证我的用户的方式简直太棒了。

但是，我需要使用我的自定义认证登录系统.

我将有一个 AppUsers 表，其中包含用户名和加密密码。

我在 gae 上读到了一些有关会话的内容，但我需要帮助来启动我的应用程序安全性。

如何跟踪经过身份验证的用户会话？设置cookie？

初学者。

你可以使用 cookie 来做到这一点......这真的不那么难。您可以使用 cookie 来跟踪用户的身份验证并将会话密钥存储在 gae 数据存储中。

有一个例子（它只是展示了基本思想，我不保证代码可以直接使用）

基本用户表：

# simply add an property to store the session key
class User(db.Model):    
    username = db.StringProperty()
    password = db.StringProperty()
    session = db.StringProperty()

登录功能

# Do the following step:
# 1. make sure user provide correct username and password
# 2. generate a random session key 
# 3. store the session key to datastore
# 4. set the session key and user name in cookie
class LoginAPI( Webapp.RequestHandler ):   
    def get(self):
        username = self.getVar( 'username', username )
        password = self.getVar( 'password', password )

        user = User.all().filter("username = ", username).get()
        password = encrypted_the_password(password) # encrypted your password with your own method!

        if user.password == password:
             # User login successfually
             session = generate_random_session_key() # generate your session key here
             user.session = session
             user.put()

             expires_time = decide_your_expires_time() # decide how long the login session is alive.
             cookie_time_format = "%a, %d-%b-%Y %H:%M:%S GMT"
             expires_datetime = datetime.datetime.fromtimestamp(expires_time)

             # set cookie as session
             self.response.headers.add_header( "Set-Cookie", "user=%s; expires=%s; path=/" % ( user.username,expires_datetime.strftime( cookie_time_format ) ) )
             self.response.headers.add_header( "Set-Cookie", "session=%s; expires=%s; path=/" % ( user.session, expires_datetime.strftime( cookie_time_format ) ) )
        else:
             #User login failed
             pass

注销功能

# Remove the previous cookie info 
class LoginAPI( Webapp.RequestHandler ):
        def get(self):
            # remove the cookie
            self.response.headers.add_header( "Set-Cookie", "user=%s; expires=%s; path=/" % ( "",expires_datetime.strftime( cookie_time_format ) ) )
            self.response.headers.add_header( "Set-Cookie", "session=%s; expires=%s; path=/" % ( "", expires_datetime.strftime( cookie_time_format ) ) )

当您需要用户登录时

# Get the session info from cookie. If the session info match the info stored in datastore
# Then user authenticate successfully.
class SomePage(Webapp.RequestHandler):
    def get(self):
        # get cookie info
        username_from_cookie = self.request.cookies.get("user", "")
        session_from_cookie = self.request.cookies.get("session", "")

        if username_from_cookie and session_from_cookie:
            user = User.all().filter("username = ", username_from_cookie).get()
            if user.session == session_from_cookie:
                # the user is login correctly
                pass
            else:
                # the user is not login
                pass
        else:
            # the user is not login
            pass