GAE：Cookie与数据存储区

Question

While looking for a good and efficient way to have a session in my app, I found GAE Boilerplate and GAE Sessions .

GAEB is amazing but very vast for my needs: I don't need Federate Login nor a default User structure, but I like the design structure and the way they solved some issues (routes, forms,...).

GAES is quite simple but powerfull to treat sessions. The most I like is the way it stores everything in a cookie, in this case, it stores the full user entity in a cookie so in the next page calls, no other datastore hits are done: the user data is always read from the cookie (this need, obviusly to update the data if the user updates something, which is not usual).

In the other hand, GAEB stores only the user ID and then retrieves, on each page call, the username and the user email. This is part of the code for the BaseHandler it uses (GAEB uses NDB model):

@webapp2.cached_property
def username(self):
    if self.user:
        try:
            user_info = models.User.get_by_id(long(self.user_id))
            if not user_info.activated:
                self.auth.unset_session()
                self.redirect_to('home')
            else:
                return str(user_info.username)
        except AttributeError, e:
            # avoid AttributeError when the session was delete from the server
            logging.error(e)
            self.auth.unset_session()
            self.redirect_to('home')
    return None

Same for email, and in the render_template function it does this:

def render_template(self, filename, **kwargs):
    .... some code.....

    # set or overwrite special vars for jinja templates
    kwargs.update({
        'app_name': self.app.config.get('app_name'),
        'user_id': self.user_id,
        'username': self.username,
        'email': self.email,
        ... more vars ...
    })
    kwargs.update(self.auth_config)

It seems that reads 2 times (one for username and one for email) from the datastore, because this funcs makes models.User.get_by_**field**(long(self.user_id))

The only thing I don't know exactly what means is the @webapp2.cached_property, that maybe means that all this datastore reads are done from a cache and really don't hit the datastore.

Can someone tell me what is the better solution to save hits to the database? It seems that it is better to have all the user data in a cookie (obviously, secured) and don't hit the datastore on every page call, but maybe I'm mistaken (I'm relatively noob with GAE) and all this reads to datastore are cached and, then, for free.

Answer 1

Saving session data in the cookie is highly discouraged:

• It has to be transfered with each request (slow on mobile connections)
• The HTTP Header size you can transfer to the GAE is limited (64Kb if i remember correctly) - thats the upper bound of data you could store
• Even if you encrypt and sign your session, you would still be vulnerable to reply attacks (you cannot perform a logout safely)

I don't know the implementations you mentioned, but we have an session implementation in our CMS, see https://bitbucket.org/viur/server/src/b2e9e3dca3adabee97e1761d630600a387a02c44/session.py?at=master . The general idea is to generate a random string (used as a session identifier). On session load a datastore "get by key" is performed (which is cached, so if that object is still in memcache, it wont hit the datastore at all).

And saving is only performed if the data stored inside the session changed or the session has not been updated for the last 5 minutes. Then you can copy the values of your user object into the session and wont have an additional datastore request.