Sharing session among multiple domains (generic web development question)
1,928 views
Skip to first unread message
Tomas Ehrlich
Jun 11, 2013, 3:04:00 AM6/11/13
to django...@googlegroups.com
Hi there,
this question isn't bound to Django Web Framework as the major
limitation are cookies:
I have single instance Django site running on multiple domains. Each
domain simply filters specific categories. There's an eshop and I need
to share sessions among all domains so user can log in on one site and
stay logged while browsing other domains.
As I said before, the major limitation is how cookies work -- they're
bound to single domain or many subdomains.
I saw one solution -- on every page request send many GET requests to all
domains, giving them session_id, eg:
http://domain/sess/<session_id>
Each domain then receives session_id and save it to cookie. When user
browse through site and switches to other domains, he remains logged in
as the session_id is the same.
This works but I'm concerned with security issues. Also I don't like
30+ requests on every refresh (it could be probably limitet only to
login/logout views).
What's you opinion? Have you ever dealt with problem like this? How
have you solved it?
S pozdravem
Tomáš Ehrlich
Email: tomas....@gmail.com
Tel: +420 608 219 889
Jabber: elv...@jabber.cz
"Půjdu kamkoliv, pokud je to kupředu." - D. Livingstone
this question isn't bound to Django Web Framework as the major
limitation are cookies:
I have single instance Django site running on multiple domains. Each
domain simply filters specific categories. There's an eshop and I need
to share sessions among all domains so user can log in on one site and
stay logged while browsing other domains.
As I said before, the major limitation is how cookies work -- they're
bound to single domain or many subdomains.
I saw one solution -- on every page request send many GET requests to all
domains, giving them session_id, eg:
http://domain/sess/<session_id>
Each domain then receives session_id and save it to cookie. When user
browse through site and switches to other domains, he remains logged in
as the session_id is the same.
This works but I'm concerned with security issues. Also I don't like
30+ requests on every refresh (it could be probably limitet only to
login/logout views).
What's you opinion? Have you ever dealt with problem like this? How
have you solved it?
S pozdravem
Tomáš Ehrlich
Email: tomas....@gmail.com
Tel: +420 608 219 889
Jabber: elv...@jabber.cz
"Půjdu kamkoliv, pokud je to kupředu." - D. Livingstone
Avraham Serour
Jun 11, 2013, 5:40:12 AM6/11/13
to django...@googlegroups.com
interesting problem!
I googled for "Sharing session among multiple domains"
take a look here for example: http://stackoverflow.com/questions/6080017/how-to-share-session-among-multiple-domains-on-single-asp-net-website
it looks like you can do it across subdomains, so one solution is to split your websites on subdomains
one interesting suggestion is the iframe one, if you implement that please share how
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Tomas Ehrlich
Jun 11, 2013, 8:22:37 AM6/11/13
to django...@googlegroups.com
Hi Avraham,
I know that cookies can be shared among subdomains, but my customer wants to
have separate domains.
The iframe solution is already implemented. It simply opens
http://<domain>/sess/<session_id> url for each domain in hidden iframes.
The view only saves session_id to cookie "sessionid" (by default).
https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-name
It could be probably handled at nginx/apache level, but I don't have
sources or server access to that site.
The drawback is that lots of requests are called on every page refresh ->
that's why we are looking for another solution. Fallback to subdomains
is the only solution which is on the table right now.
Cheers,
Tom
Dne Tue, 11 Jun 2013 12:40:12 +0300
Avraham Serour <tov...@gmail.com> napsal(a):
"Půjdu kamkoliv, pokud je to kupředu." - J. London
I know that cookies can be shared among subdomains, but my customer wants to
have separate domains.
The iframe solution is already implemented. It simply opens
http://<domain>/sess/<session_id> url for each domain in hidden iframes.
The view only saves session_id to cookie "sessionid" (by default).
https://docs.djangoproject.com/en/dev/ref/settings/#session-cookie-name
It could be probably handled at nginx/apache level, but I don't have
sources or server access to that site.
The drawback is that lots of requests are called on every page refresh ->
that's why we are looking for another solution. Fallback to subdomains
is the only solution which is on the table right now.
Cheers,
Tom
Dne Tue, 11 Jun 2013 12:40:12 +0300
Avraham Serour <tov...@gmail.com> napsal(a):
Marcin Szamotulski
Jun 11, 2013, 10:03:13 AM6/11/13
to django...@googlegroups.com
Hi,
If you use db backend for sessions you could save the session in both
databases. Check this:
http://dustinfarris.com/2012/2/sharing-django-users-and-sessions-across-projects/
I hope this helps.
Best regards,
Marcin
If you use db backend for sessions you could save the session in both
databases. Check this:
http://dustinfarris.com/2012/2/sharing-django-users-and-sessions-across-projects/
I hope this helps.
Best regards,
Marcin
Tomas Ehrlich
Jun 11, 2013, 10:32:34 AM6/11/13
to django...@googlegroups.com
Hi Marcin,
unfortunately it doesn't solve the problem. As it's said in document:
Just like the secret keys, the SESSION_COOKIE_DOMAIN setting from
OldWebsite.com and NewWebsite.com must match if you want
to share sessions.
... but that's possible only when you share sessions in subdomains (eg.
SESSION_COOKIE_DOMAIN = '.domain.td' and your sites are
at sub1.domain.td, sub2.domain.td, etc.)
Database routing is interesting, but I have one database, one website,
which is accessed from multiple domains. The problem isn't tied to
Django nor Python, it's simply limitation of cookies.
Thanky your anyway
Cheers,
Tom
Dne Tue, 11 Jun 2013 14:03:13 +0000
Marcin Szamotulski <msz...@gmail.com> napsal(a):
unfortunately it doesn't solve the problem. As it's said in document:
Just like the secret keys, the SESSION_COOKIE_DOMAIN setting from
OldWebsite.com and NewWebsite.com must match if you want
to share sessions.
... but that's possible only when you share sessions in subdomains (eg.
SESSION_COOKIE_DOMAIN = '.domain.td' and your sites are
at sub1.domain.td, sub2.domain.td, etc.)
Database routing is interesting, but I have one database, one website,
which is accessed from multiple domains. The problem isn't tied to
Django nor Python, it's simply limitation of cookies.
Thanky your anyway
Cheers,
Tom
Dne Tue, 11 Jun 2013 14:03:13 +0000
Marcin Szamotulski <msz...@gmail.com> napsal(a):
Bill Freeman
Jun 11, 2013, 10:43:10 AM6/11/13
to django-users
I wonder if you could use an iframe to create the illusion that these sites are served from separate domains?
Tom Evans
Jun 12, 2013, 5:30:43 AM6/12/13
to django...@googlegroups.com
On Tue, Jun 11, 2013 at 3:32 PM, Tomas Ehrlich <tomas....@gmail.com> wrote:
> Hi Marcin,
> unfortunately it doesn't solve the problem. As it's said in document:
>
> Just like the secret keys, the SESSION_COOKIE_DOMAIN setting from
> OldWebsite.com and NewWebsite.com must match if you want
> to share sessions.
>
> ... but that's possible only when you share sessions in subdomains (eg.
> SESSION_COOKIE_DOMAIN = '.domain.td' and your sites are
> at sub1.domain.td, sub2.domain.td, etc.)
>
>
> Database routing is interesting, but I have one database, one website,
> which is accessed from multiple domains. The problem isn't tied to
> Django nor Python, it's simply limitation of cookies.
>
You could do poor man's SSO, which would be similar to your
> Hi Marcin,
> unfortunately it doesn't solve the problem. As it's said in document:
>
> Just like the secret keys, the SESSION_COOKIE_DOMAIN setting from
> OldWebsite.com and NewWebsite.com must match if you want
> to share sessions.
>
> ... but that's possible only when you share sessions in subdomains (eg.
> SESSION_COOKIE_DOMAIN = '.domain.td' and your sites are
> at sub1.domain.td, sub2.domain.td, etc.)
>
>
> Database routing is interesting, but I have one database, one website,
> which is accessed from multiple domains. The problem isn't tied to
> Django nor Python, it's simply limitation of cookies.
>
<domain>/sess/<sess_id> idea.
Basically, only one of your websites can create a new empty session -
we'll call this the master. If you get a client visit one of your
websites, and they do not have a session on that website, you redirect
them to the master website, with a parameter indicating the source
website.
If they already have a session on the master website, you simply
redirect them to the source website with a token indicating their
(existing) session id.
Otherwise, you create a new session on the master website, and
redirect them back to the source website, again with a token.
When the user returns to the source website, extract the session id
from the token, and set the appropriate cookies so that they are using
that as their session.
Because the session id is hidden behind an opaque token during
transfer, there can be no fixation attacks. Delete the token
immediately after consumption, and you minimise replay attacks.
Cheers
Tom
Tomas Ehrlich
Jun 12, 2013, 7:38:24 AM6/12/13
to django...@googlegroups.com
Hi Tom,
that's interesting approach. I'm going to use it and publish code later.
Thank you!
Cheers,
Tom
PS: The key is the name of problem:) SSO
https://github.com/ojii/django-simple-sso
https://github.com/bltravis/django-token-sso
Dne Wed, 12 Jun 2013 10:30:43 +0100
Tom Evans <teva...@googlemail.com> napsal(a):
that's interesting approach. I'm going to use it and publish code later.
Thank you!
Cheers,
Tom
PS: The key is the name of problem:) SSO
https://github.com/ojii/django-simple-sso
https://github.com/bltravis/django-token-sso
Dne Wed, 12 Jun 2013 10:30:43 +0100
Tom Evans <teva...@googlemail.com> napsal(a):
Frank Bieniek
Jun 13, 2013, 10:04:00 AM6/13/13
to django...@googlegroups.com
HI Tom,
what about an openid single sign on.
there is a python package out there doing it.
openid_provider
from openid_provider.models import OpenID, TrustedRoot
and glue it together with django userena
and you have your sso.
Thanks
Frank
Am 12.06.13 13:38, schrieb Tomas Ehrlich:
what about an openid single sign on.
there is a python package out there doing it.
openid_provider
from openid_provider.models import OpenID, TrustedRoot
and glue it together with django userena
and you have your sso.
Thanks
Frank
Am 12.06.13 13:38, schrieb Tomas Ehrlich:
Reply all
Reply to author
Forward
0 new messages