5

I am Using Google App Engine for Java and I want to be able to share session data between subdomains:

  • www.myapp.com
  • user1.myapp.com
  • user2.myapp.com

The reason I need this is that I need to be able to detect if the user was logged in on www.myapp.com when trying to access user1.myapp.com. I want to do this to give them admin abilities on their own subdomains as well as allow them to seamlessly switch between subdomains without having to login again.

I am willing to share all cookie data between the subdomains and this is possible using Tomcat as seen here: Share session data between 2 subdomains

Is this possible with App Engine in Java?

Update 1

I got a good tip that I could share information using a cookie with the domain set to ".myapp.com". This allows me to set something like the "current_user" to "4" and have access to that on all subdomains. Then my server code can be responsible for checking cookies if the user does not have an active session.

This still doesn't allow me to get access to the original session (which seems like it might not be possible).

My concern now is security. Should I allow a user to be authenticated purely on the fact that the cookie ("current_user" == user_id)? This seems very un-secure and I certainly hope I'm missing something.

Community
  • 1
  • 1
Sam Edwards
  • 874
  • 8
  • 19
  • 1
    If it's just a login, that's a far simpler problem than sharing data... you could use an SSO solution for that! – Jonathan S. Fisher Mar 20 '12 at 21:32
  • SSO would be nice, but I've got a pretty simple authentication system in place now that sets the current user in the session after they have authenticated. The ability to maintain the currently logged in user state seems like something I should be able to accomplish without migrating away from my current solution and that seems to be able to be done with cookies. It's just doesn't seem that secure. I suppose JSESSIONID isn't that secure either but at least it's not a userid in plain text. – Sam Edwards Mar 20 '12 at 22:37
  • You seem to be asking several different questions - in particular, the one about cookie security - you should post a separate SO question for each. Also, you need to provide more details about your current solution. Are you using the Users API? A sessions library? Something else? – Nick Johnson Mar 21 '12 at 07:00
  • Are you using a security framework like spring security or shiro? – Jonathan S. Fisher Mar 21 '12 at 18:10
  • No, homebuilt. Just authenticate user/pass, then store the user in the session. – Sam Edwards Mar 21 '12 at 18:52

1 Answers1

0

Shared cookie is most optimal way for your case. But you cannot use it to share a session on appengine. Except the case when you have a 3rd party service to store sessions, like Redis deployed to Cloud Instances.

You also need to add some authentication to your cookie. In cryptography there is a special thing called Message Authentication Code (MAC), or most usually HMAC.

Basically you need to store user id + hash of this id and a secret key (known to both servers, but not to the user). So each time you could check if user have provided valid id, like:

String cookie = "6168165_4aee8fb290d94bf4ba382dc01873b5a6";
String[] pair = cookie.split('_');
assert pair.length == 2
String id = pair[0];
String sign = pair[1];
assert DigestUtils.md5Hex(id + "_mysecretkey").equals(sign);

Take a look also at TokenBasedRememberMeServices from Spring Security, you can use it as an example.

Igor Artamonov
  • 35,450
  • 10
  • 82
  • 113
  • So are you confirming that there is no way to change the domain on the actual session cookie used by App Engine? I know that if I could do that, the results would be exactly what I want, as I'm using sub-domain based multi-tenancy, so all browser requests go to the same app/deployment. I'm using Spring for athentication/authorization and caching session data in Datastore. – tangent Mar 17 '15 at 13:41
  • you can modify session cookie, but it doesn't make any sense, actual data is store in Datastore for app, in table `_ah_SESSION`. I believe you don't have access to db from other app to read this data – Igor Artamonov Mar 17 '15 at 14:28
  • It's not another app, it's the same app, accessed via a different subdomain. Even if you're right, I'd like to try modifying the session cookie. Do you know how to do this? – tangent Mar 18 '15 at 15:18
  • same app and same db? then it should work out of box. what exactly you want to change in session cookie? it's just a number, id of an entity in db – Igor Artamonov Mar 18 '15 at 16:47
  • Yes, same app and db. It does not work out of the box, because if I log in to the app via app1.mysite.com, the domain attribute of the session cookie is set to app1.mysite.com, which means the cookie is only sent with requests destined for app1.mysite.com. When I go to app2.mysite.com, the session cookie is not sent. If I had a way to change the domain to ".mysite.com" then the cookie would be sent to any mysite.com host, and the session would be valid on all subdomains. I just don't know how/where to do that. – tangent Mar 19 '15 at 14:36
  • oh, i see what you mean. usually it's container-specific configuration, and I don't see any mention in appengine docs that it could be configured there. I suggest you to create a new question there about how to use custom session cookie on appengine, maybe there're undocumented option in app config or something like this – Igor Artamonov Mar 19 '15 at 15:26