I didn't. Too afraid of cookie hijacking. See http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking. To quote, "However a large number of websites, although using encrypted https communication for user authentication (i.e. the login page), subsequently send session cookies and other data over ordinary, unencrypted http connections for performance reasons. Attackers can therefore easily intercept the cookies of other users and impersonate them on the relevant websites or use them in a cookiemonster attack."
We don't use any cookies until the user logs in and once they log in, we stay on https for all traffic. Hopefully we don't run into performance problems. While we consider the http channel and the https channel to be completely separate, the common elements are the App Engine (and the browser). We'd probably do the sharing in the application code on App Engine if we get backed into a corner for performance reasons. Perhaps someone else on this list has a suggestion? On Jul 1, 4:27 pm, TL <[email protected]> wrote: > How did you do the session cookie transfer from the HTTPS domain to > the HTTP domain? Is this something you can configure in app engine? > > Was it possible to log in using HTTPS all the way to app engine and > then transfer the session to the HTTP server using a redirect? > > On Jul 1, 3:50 am, J <[email protected]> wrote: > > > > > I tried it last year using Squid on EC2 as a proof of concept. It > > worked well. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
