Clever Geek Handbook

Share of current user data between subdomains in Google App Engine for Java

I am using Google App Engine for Java and I want to be able to exchange session data between subdomains:

  • www.myapp.com
  • user1.myapp.com
  • user2.myapp.com

The reason I need this is because I need to determine if the user was logged into www.myapp.com when trying to access user1.myapp.com. I want to do this to give them admin capabilities on their own subdomains, and also allow them to seamlessly switch between subdomains without having to log in again.

I want to share all cookie data between subdomains and this is possible with Tomcat as shown here: Share session data between two subdomains

Is this possible with App Engine in Java?

<h / "> Update 1

I got a good tip to share information using a cookie with a domain set to ".myapp.com". This allows me to set something like "current_user" to "4" and have access to that across all subdomains. Then my server-side code may be responsible for validating cookies if the user does not have an active session.

This still prevents me from accessing the original session (which seems like it might not be possible).

Now my concern is safety. Should I allow the user to authenticate solely on that cookie ("current_user" == user_id)? This seems to be very insecure and I certainly hope I am missing something.

+3


source to share


1 answer


A shared cookie is the best way for your business. But you cannot use it to exchange session on appengine. Unless you have a third-party session storage service like Redis deployed to Cloud Instances.

You also need to add authentication to your cookie. There is a special thing in cryptography called message authentication code ( MAC ), or more commonly HMAC .

Basically you need to store the user id

+ hash of this id

and secret key

(known to both servers, but not to the user). So every time you can check if the user has provided a valid ID, like:



String cookie = "6168165_4aee8fb290d94bf4ba382dc01873b5a6";
String[] pair = cookie.split('_');
assert pair.length == 2
String id = pair[0];
String sign = pair[1];
assert DigestUtils.md5Hex(id + "_mysecretkey").equals(sign);

Look also at TokenBasedRememberMeServices

from Spring Security, you can use it as an example.

0


source






More articles:


All Articles