I have a Google App Engine Java application which is embedded (via a Gadget) in a Google Site. The app is built for a Google Apps customer and therefore is set to require Google authentication with that customer's domain - as is the site it is embedded in.
In general this app is only ever to be used within the site. Users never have to explicitly log into the app - it inherits their login session from the parent frame (assuming third party cookies are not blocked in the browser).
We use a standard UserService pattern, as per the docs:
UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
if (user != null) {
// do ALL the things!
} else {
resp.sendRedirect(userService.createLoginURL(req.getRequestURI());
}
A logged in user gets in a SACSID cookie set for the myapp.appspot.com domain, the HTTPS version of the ACSID cookie.
When users log out of the containing site, by clicking the standard "Log Out" button in their Google account, the users are now logged out of their Google account, but they can still access the application. userService.isUserLoggedIn() also returns true.
(We can't have the user log out using the App Engine logout URL, as in general, they don't even know they are using an App Engine application - it's just content embedded on a site.)
If you reproduce this by browsing to the servlet directly, rather than the site, and then log out of your Google account, about 2-3 minutes after the user signs out, the UserService detects this and redirects the user to the login screen as expected. However, in a situation where people may log off the parent site and then log in again in short notice, there are cases where people are getting the wrong privilege level in the application.
How can we detect this instantly and react appropriately?
