1

I need to create an application, where GAE server will always talk with just one client (i.e. one message should be always sent just to one client).

I do the following -

Python:

def get(self):
    # generate token, when page is loaded
    client_id = uuid.uuid4().hex
    token = channel.create_channel(client_id)
    template_values = {'token': token,
                       'client_id': client_id
                       }
    self.response.out.write(template.render('page.html', template_values))

def post(self):
    # reply to the client
    ... 
    client_id = self.request.get('id')
    channel.send_message(client_id, message)

Javascript:

sendMessage = function(field) {
  $.ajax({
    type: "POST",
    url: "/",
    data: "f=" + field + "&id=" + "{{ client_id }}", // WARNING!
    contentType: "application/x-www-form-urlencoded",
    success: function(data) {
    }
  });          
};

onOpened = function() {
  connected = true;
  sendMessage('opened');
};
onMessage = function(msg) {
  alert(msg.data);
};
onError = function(err) {
  alert(err);
};        
onClose = function() {
  alert("close");
};        
// open new session
channel = new goog.appengine.Channel('{{ token }}'); // WARNING!
socket = channel.open();
socket.onopen = onOpened;
socket.onmessage = onMessage;
socket.onerror = onError;
socket.onclose = onClose;

It works well, but with such scenario both token and client_id are passed to the client. Is it OK?

LA_
  • 19,823
  • 58
  • 172
  • 308

1 Answers1

0

There's no technical reason not to do this. If you're worried about security, the token is far more valuable: an attacker who could listen to your traffic could take the token and listen to channel messages in a different context. The clientid wouldn't let them do that.

But I do have a question: why not return the message in the POST response, rather than sending a message over the channel? Or is the sample code just simplified for the example?

Moishe Lettvin
  • 8,462
  • 1
  • 26
  • 40
  • OK, good. With regards to the question - http://stackoverflow.com/questions/9232438/how-to-protect-gae-server-side-calculation-logic – LA_ Feb 23 '12 at 21:24
  • Ah, okay. That explains your other question :) If you expect lots of traffic, I would heed Ibrahim's advice and use a Task Queue (rather than a sleep()) command to defer returning the message. If your traffic is low enough that you don't care about instance hours, you could avoid the Channel API altogether by using sleep(). Note that the XHR call is asynchronous so your client can keep doing whatever you want it to while waiting for the response. – Moishe Lettvin Feb 23 '12 at 21:41
  • I have another question about delay - http://stackoverflow.com/questions/9420223/how-to-implement-delay-in-gae-replies ;) and I need to think how to send messages to the server one-by-one. – LA_ Feb 23 '12 at 21:54