Using sessions in Google App Engine with mobile client

Question

I'm looking to implement session support for Google App Engine using either gae-sessions or webapp2 sessions, which ever makes more sense. However, I don't really understand how it works. In the sample code, the most work they do is:

 session = get_current_session()

I thought the whole point of sessions was to authenticate users. Here is my situation:

The user will only be able to use the iOS app when logged in. After the first time the user logs in, rather than sending the user's password for authentication every time, I've read that this is what session ids are for. So now, how do I use these frameworks to do this?

• Isn't there supposed to be some id?
• What do I send back to the client after a successful login?
• How does get_current_session know who the user is?
• What does the client send to the server with every request?
• What if the user is signed in from multiple devices?

Keep in mind that the client is not a browser, but a mobile application. I'm just not understanding how this all works for this case.

Answer 1

I thought the whole point of sessions was to authenticate users.

No, sessions are used to identify requests that belong to the same browser. It does not identify or authenticate users. This is the job of your code. Sessions usually work via Cookies: on first request servers sends a cookie, then on all subsequent requests browser adds cookie to the request. That's how server knows that a series of requests belong to the same client (browser). For this to work in your case, your Android code should use cookies.

Isn't there supposed to be some id?

Yes, after login you'd normally get some user ID, but this is specific to login procedure. Also this has nothing to do with sessions. Session is basically an object on the server side that is always the same when requests come from the same client. You can store some attributes into the session object: normally after user performs login, you'd store their user ID into session to easier identify requests coming from the same user. When user logouts, you'd delete the user ID from session.

What do I send back to the client after a successful login?

Enable sessions on server (= pick your library) and enable cookies in Android code. Then sessions will be automatically handled between your client and server. After successful login just store user ID into session. On subsequent requests just check if session contains user UD.

How does get_current_session know who the user is?

It doesn't. After login you store some user-related data into session and on subsequent requests you can check for this data.

What does the client send to the server with every request?

For sessions to work it should send a cookie. This is done automatically if you enable cookie support in Android HttpClient code (link above).

What if the user is signed in from multiple devices?

Multiple clients would result in multiple independent sessions. It's up to your server code to identify sessions that belong to same user (= multiple sessions would have same User ID stored in them).