Share of current user data between subdomains in Google App Engine for Java
I am using Google App Engine for Java and I want to be able to exchange session data between subdomains:
The reason I need this is because I need to determine if the user was logged into www.myapp.com when trying to access user1.myapp.com. I want to do this to give them admin capabilities on their own subdomains, and also allow them to seamlessly switch between subdomains without having to log in again.
I want to share all cookie data between subdomains and this is possible with Tomcat as shown here: Share session data between two subdomains
Is this possible with App Engine in Java?
<h / "> Update 1
I got a good tip to share information using a cookie with a domain set to ".myapp.com". This allows me to set something like "current_user" to "4" and have access to that across all subdomains. Then my server-side code may be responsible for validating cookies if the user does not have an active session.
This still prevents me from accessing the original session (which seems like it might not be possible).
Now my concern is safety. Should I allow the user to authenticate solely on that cookie ("current_user" == user_id)? This seems to be very insecure and I certainly hope I am missing something.
source to share
A shared cookie is the best way for your business. But you cannot use it to exchange session on appengine. Unless you have a third-party session storage service like Redis deployed to Cloud Instances.
Basically you need to store the
+ hash of this
(known to both servers, but not to the user). So every time you can check if the user has provided a valid ID, like:
String cookie = "6168165_4aee8fb290d94bf4ba382dc01873b5a6"; String pair = cookie.split('_'); assert pair.length == 2 String id = pair; String sign = pair; assert DigestUtils.md5Hex(id + "_mysecretkey").equals(sign);
Look also at
from Spring Security, you can use it as an example.
source to share