Generating unique and opaque user IDs in Google App Engine

Question

I\'m working on an application that lets registered users create or upload content, and allows anonymous users to view that content and browse registered users\' pages to find t

Answer 1

Do you mean session cookies?

Try http://code.google.com/p/gaeutilities/

---

What DzinX said. The only way to create an opaque key that can be authenticated without a database roundtrip is using encryption or a cryptographic hash.

Give the user a random number and hash it or encrypt it with a private key. You still run the (tiny) risk of collisions, but you can avoid this by touching the database on key creation, changing the random number in case of a collision. Make sure the random number is cryptographic, and add a long server-side random number to prevent chosen plaintext attacks.

You'll end up with a token like the Google Docs key, basically a signature proving the user is authenticated, which can be verified without touching the database.

However, given the pricing of GAE and the speed of bigtable, you're probably better off using a session ID if you really can't use Google's own authentication.