Python: Google App Engine: Cookie Users Beware

By default, Google App Engine Web applications runs on That means that some other app, e.g., can set a cookie for, and your app will get that cookie from the user's Web browser on subsequent requests to your site.

This isn't some remarkable new exploit or anything. It's just something to keep in mind when running on subdomains like this. If you're worried about security, you should use your own domain name and cryptographically sign your cookies (here's some example source code).