stackoom
  简体   繁体   中英

Share Current User Data Between Subdomains on Google App Engine for Java

 原文  2012-03-20 21:23:56       java/ google-app-engine/ session/ subdomain

Question

I am Using Google App Engine for Java and I want to be able to share session data between subdomains:

  • www.myapp.com
  • user1.myapp.com
  • user2.myapp.com

The reason I need this is that I need to be able to detect if the user was logged in on www.myapp.com when trying to access user1.myapp.com. I want to do this to give them admin abilities on their own subdomains as well as allow them to seamlessly switch between subdomains without having to login again.

I am willing to share all cookie data between the subdomains and this is possible using Tomcat as seen here: Share session data between 2 subdomains

Is this possible with App Engine in Java?

Update 1

I got a good tip that I could share information using a cookie with the domain set to ".myapp.com". This allows me to set something like the "current_user" to "4" and have access to that on all subdomains. Then my server code can be responsible for checking cookies if the user does not have an active session.

This still doesn't allow me to get access to the original session (which seems like it might not be possible).

My concern now is security. Should I allow a user to be authenticated purely on the fact that the cookie ("current_user" == user_id)? This seems very un-secure and I certainly hope I'm missing something.

1 answers

solution1
 0  2015-03-16 12:04:00

Shared cookie is most optimal way for your case. But you cannot use it to share a session on appengine. Except the case when you have a 3rd party service to store sessions, like Redis deployed to Cloud Instances.

You also need to add some authentication to your cookie. In cryptography there is a special thing called Message Authentication Code ( MAC ), or most usually HMAC .

Basically you need to store user id + hash of this id and a secret key (known to both servers, but not to the user). So each time you could check if user have provided valid id, like: 

String cookie = "6168165_4aee8fb290d94bf4ba382dc01873b5a6";
String[] pair = cookie.split('_');
assert pair.length == 2
String id = pair[0];
String sign = pair[1];
assert DigestUtils.md5Hex(id + "_mysecretkey").equals(sign);

Take a look also at TokenBasedRememberMeServices from Spring Security, you can use it as an example.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Handling dynamic subdomains in Google App Engine (Java) How to share sessions between modules on a Google App Engine Java application? Share session data between 2 subdomains Name of Current App in Google App Engine (Java) Custom User Management for Google App Engine Java Are there user/role libraries for Java on Google App Engine? google app engine : new instance with no user data How to get current logged user in Google app engine lightweight data structure for java google app engine How to retrieve the current server side datetime in Google App Engine with Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM