Cross domain auth

[LightOfMooN]

Hello.

I have multiple domains, that slice one app by languages.

For example:

mydomain.com

mydomain.fr

mydomain.de

mydomain.ru

etc

If the user login to app in mydomain.com and then want to read it in Deutch, he switches to DE-version with redirecting to mydomain.de, but, unfortunately, he will not be logged in mydomain.de.

Is there a way to make cross-domain auth with web2py, that allows users to login/logout to all of some specified domains at once?

[Anthony]

The problem is the browser will not send the session cookie to the new domain, so web2py has no way to know the user has been logged in.

[LightOfMooN]

But is there a way to push session cookie for multiple domains at once?

Something like:

for domain in ['mydomain.com', 'mydomain.de', 'mydomain.ru', 'mydomain.fr']:

    session_id = generate_session_id(domain)

    ...

    response.push_cookies[session_id]['domain'] = domain

понедельник, 28 декабря 2015 г., 5:36:42 UTC+5 пользователь Anthony написал:

[Anthony]

On Monday, December 28, 2015 at 12:51:22 AM UTC-5, LightOfMooN wrote:

But is there a way to push session cookie for multiple domains at once?

Something like:

for domain in ['mydomain.com', 'mydomain.de', 'mydomain.ru', 'mydomain.fr']:

    session_id = generate_session_id(domain)

    ...

    response.push_cookies[session_id]['domain'] = domain

Browsers will not allow one domain to set a cookie for another domain, as this is a security risk.

I haven't tried it, but one thing you might try is to pass the session_id for one domain to the other domains via hidden iframes. The steps would be something like this:

1. After the user successfully logs in to mydomain.com, set a flag in the session (e.g., session.share_login=True).
2. In the layout.html, when session.share_login is True, create a hidden iframe for each of the other domains, with the current session_id in the query string (i.e., src="{{=URL('default', 'set_session_id', vars=dict(session_id=response.session_id))}}"). Then set session.share_login=False so the iframes are not created on any subsequent requests.
   
3. Create a /default/set_session_id function that sets response.session_id = request.get_vars.session_id. It doesn't matter what the function returns (maybe just return a string such as "OK").
   

With the above workflow, when a user logs in, a request will be made to each of the other domains. For each domain, web2py will return a new session cookie whose session_id is the same as the session_id of the original domain. When you go to one of the other domains, its session cookie will be sent to the server and used to retrieve the same session established on the original domain.

Note, instead of hidden iframes, you could also use script tags or hidden image tags.

Anthony

[LightOfMooN]

It's awesome!

Thank you, Anthony. You made my day.

It works fine.

Here is the resulting code:

in db.py:

def share_login(form):

    session.share_login = True

auth.settings.login_onaccept = share_login

in gluon/tools after

if self.settings.renew_session_onlogout:

    current.session.renew(clear_session=not self.settings.keep_session_onlogout):

current.session.share_login = True

can't use auth.settings.logout_onlogout because it runs before session renew :(

in default.py:

def set_sid():

    if request.get_vars.sid:

        response.session_id = request.get_vars.sid

    return ''

and finally in general template (layout.html):

    {{if session.share_login:}}

        {{for domain in share_domains:}}

            <script type="text/javascript" src="//{{=domain}}/default/set_sid?sid={{=response.session_id}}"></script>

        {{pass}}

        {{session.share_login=False}}

    {{pass}}

понедельник, 28 декабря 2015 г., 22:55:42 UTC+5 пользователь Anthony написал: