Sessions across multiple domains and subdomains

33 views
Skip to first unread message

Pixy Misa

unread,
Sep 23, 2007, 9:37:15 AM9/23/07
to cherrypy-users
I have a blogging system up and running in CherryPy, and all is well.
Users get their own subdomains under, let's call it, cherryspace.com.
I set the session domain (tools.sessions.domain) to ".cherryspace.com"
and all is well.

But say I also have cherryspace.net. I could add a separate instance
of my application on a different IP with a different config file, and
that would work too. Not a big deal.

Now, I want to allow paying customers to use their own domains
(whatever.com) for blogs hosted on my system. I can't set up a
separate instance for every paying customer. Is there a
straightforward way to make the built-in sessions system work with
arbitrary domains? Obviously then sessions won't be maintained across
domains (because the cookies won't work that way), but I can live with
that for now.

Any suggestions would be greatly appreciated!

Robert Brewer

unread,
Sep 23, 2007, 10:49:55 AM9/23/07
to cherryp...@googlegroups.com
Pixy Misa wrote:
> Now, I want to allow paying customers to use their
> own domains (whatever.com) for blogs hosted on my
> system. I can't set up a separate instance for
> every paying customer. Is there a straightforward
> way to make the built-in sessions system work with
> arbitrary domains? Obviously then sessions won't
> be maintained across domains (because the cookies
> won't work that way), but I can live with that for
> now.

The simplest method I can think of would be to subclass
_cptools.SessionTool and override its _setup method.
There, before attaching the 'session.init' hook:

hooks.attach(self._point, self.callable, priority=p, **conf)

...inspect cherrypy.request.headers['Host'] and use it
to set conf['domain'] to whatever you'd like. For example:


host = cherrypy.request.headers['Host']
host = host.rsplit(".", 2)
if len(host) < 2 or host[-1] not in TLDs:
pass
else:
conf['domain'] = "." + host[-2] + "." + host[-1]

hooks.attach(self._point, self.callable, priority=p, **conf)

You'll probably want to do something other than pass if
the host doesn't end in one of the top-level domains [1]
(for example, it might be an IP address). Redirecting to
a canonical host name is common in that case.


Robert Brewer
fuma...@aminus.org

[1] http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

winmail.dat

Andrew Maizels

unread,
Sep 23, 2007, 10:08:13 PM9/23/07
to cherryp...@googlegroups.com
On 9/24/07, Robert Brewer <fuma...@aminus.org> wrote:

The simplest method I can think of would be to subclass
_cptools.SessionTool and override its _setup method.
There, before attaching the 'session.init' hook:

    hooks.attach(self._point, self.callable , priority=p, **conf)


...inspect cherrypy.request.headers['Host'] and use it
to set conf['domain'] to whatever you'd like. For example:


    host = cherrypy.request.headers['Host']
    host = host.rsplit(".", 2)
    if len(host) < 2 or host[-1] not in TLDs:
        pass
    else:
        conf['domain'] = "." + host[-2] + "." + host[-1]

    hooks.attach(self._point, self.callable, priority=p, **conf)

Thanks Robert, that makes sense.  I'll only have a handful of shared domains, and if it's not one of those the cookie will be specific to the user's domain, so TLDs as such won't be a problem.   I'll give it a whirl today.

Andrew

Andrew Maizels

unread,
Sep 24, 2007, 9:07:39 AM9/24/07
to cherryp...@googlegroups.com
Thanks again Robert, that works like a charm.

Andrew
Reply all
Reply to author
Forward
0 new messages