I have two Dash (open-source) applications written in Python. In both applications, I make use of Flask-Login to handle common authentication tasks such as logging in, logging out, and remembering the users’ sessions by a signed cookie. In other words, each application has its login page that redirects the user to the app's home page in case of successful login. Conversely, users are redirected to the login page whenever the user decides to log out.
I am expecting that users who have successfully logged in on application 1 (app1) would not need to log in again on application 2 (app2) as the active user's ID is stored in the Flask session (provided a common secret key across applications). Indeed, this works as expected when deployed locally:
dash_app1.py
if __name__ == "__main__":
app1.run(host="172.xx.xxx.x", port=8050, debug=True)
dash_app2.py
if __name__ == "__main__":
app2.run(host="172.xx.xxx.x", port=8051, debug=True)
However, I am not able to reproduce this when deploying my two applications on two services running on the same Google App Engine (standard environment), i.e. I need to log in on app1 AND on app2 separately, which is undesirable.
Since app1 is deployed on https://PROJECT_ID.REGION_ID.r.appspot.com (default service) and app2 on https://SERVICE_ID-dot-PROJECT_ID.REGION_ID.r.appspot.com (second service), I would have thought that configuring the Flask application as follows would work (as per the documentation):
dash_app1.py
app1 = dash.Dash(...)
server = app1.server
server.config.update(
SECRET_KEY=SECRET_KEY,
SESSION_COOKIE_DOMAIN=".r.appspot.com"
)
dash_app2.py
# Same as above but for app2.
However, the cookie containing the active user does not persist on the web browser.
I have also tried fiddling with other Flask configuration values but none have solved my issue.
Any help would be greatly appreciated!
Apparently, it is not possible to use .appspot.com as a partial domain cookie according to this post, re-quoting:
It's because appspot.com was added to the public suffix list of domains that modern browsers should not allow cookies to be set for: see here
I am guessing this has been extended to .r.appspot.com and .<REGION_ID>.r.appspot.com since attempting to change SESSION_COOKIE_DOMAIN to these values did not solve the issue.
Moreover, I think this is not linked to the web browser as both FireFox and Google Chrome reject the cookie.
However, a solution is proposed in this post but it does not seem to be robust in a production environment.
Finally, Google App Engine lets you serve your application through a custom domain so I would suggest this route in order to share login cookies between applications.