Custom user authentication. How is it done, with the best practices?

Question

I'm using Google Engine App with Python. I want to add custom user authentication. How is it done, with the best practices?

I want custom authentication because the app is built in Flex and I don't want to redirect to an HTML page.

The user value object is like this:

class User(db.Model):
   email = db.EmailProperty(required = True, indexed = True)
   masked_password = db.StringProperty(required = True)
   # maybe more things here

I would like to mask the password, is there some built in function in GAE?

Then, how I will remember the current user? Through sessions and cookies? Or what else?

Answer 1

Passwords:

The best way to handle the password is store a random salt value for each user and the result of a hash of the password + salt.

When the user wants to login, compute hash(password + salt) and see it if is the same as the hash value you stored when the password was originally set. The idea is never to store the password in cleartext and that two users with the same password won't have the same hashed value.

You can find many examples of this online and on SO.

Sessions:

There are many ways to implement sessions and using cookies is popular. I suggest you use one of the libraries already available for this purpose. See this comparison of libraries .

Answer 2

Don't implement your own authentication.

Mark the opening page as authentication required (ie "login: required" in the app.yaml) and then when they hit the front opening page they'll be be asked to authenticate before they even see your Flash/Flex app, or if they're already authenticated then they'll go straight into your app.

This avoids your Flash -> HTML -> Flash issue and lets you leverage the in-built proper authentication (my app keeps a table of user settings and permissions in the datastore but simply uses the GAE authenticated current user identity as a key)