Why am I getting a SACSID cookie from google appengine login instead of an ACSID?

Question

I've got an android app that authenticates to an appengine app. I've had it working for a little while, until the authToken supplied to me (by android's AccountManager) expired, causing a 500 error when I tried to use it to get a session cookie.

I have now invalidated the authToken, but after that I still cannot authenticate. However, instead of throwing a 500 (as it did with the invalid auth token), it responds just like the successful case - but instead of setting a "ACSID" cookie as I expect, it sets "SACSID". It looks a lot like an authentication cookie (in that it's random-looking and long), but attempting to access authenticated resources using this cookie redirects me to the login page.

Any idea what's going on?

Answer 1

the "S" is for secure!

I finally figured out that the problem is, I'm getting the cookie from https://myapp.appspot.com/_ah/login but trying to access authenticated pages on http://myapp.appspot.com/. I have now changed to accessing resources on https://myapp.appspot.com/ and it works as expected. I'm still not sure when or why that changed, and quite surprised that nobody on the internet has mentioned a SACSID cookie ever before...