What's the proper way of sharing sessions between two web2py apps served through different domains?

[Lisandro]

I have two web2py apps that share the same db, and they also share the session.

Both apps are served through different domains (using routes.py).

That means that the user logs in one domain (through one of the apps), and then can navigate through both domains (that is, both apps) being logged in.

I've achieved that with this code in models/db.py:

db = DAL(...)

session.connect(request, response, db=db, masterapp='primary')

if response.session_id_name in response.cookies:
    response.cookies[response.session_id_name]['domain'] = 'primarydomain.com'

Apps are called "primary" and "secondary", the domains are "primarydomain.com" and "secondarydomain.com", and the login is done through secondary app.

Please notice the last two lines of code. I had to add those two lines in order for it to work. 

It wasn't enough setting masterapp='primary', the session wasn't shared through apps (and both domains), so then I managed to make that fix.

However, I'm not so sure if that's the correct way of doing it. 

The reason I'm not sure is because some times (very few times), the browser gets stuck asking for login. 

I cannot reproduce the problem, but in some rare ocasions, the user cannot login anymore (the browser keeps asking email and password, and the user needs to delete all cookies in order to login again).

If you consider that isn't the proper way of doing it, I will appreciate any suggestion or comment.

Thanks as always!

Regards, 

Lisandro.

[Niphlod]

afaik cookies can't be sent to multiple domains. CORS is needed. IMHO it's correct that web2py doesn't provide a way to support that.

[Lisandro]

Hi Niphlod, thanks for your answer.

I've realised that my example has an important error.

Let's forget about secondarydomain.com, there is one only domain, and a subdomain. This may change a little the considerations.

The user logs in through panel.customdomain.com, and then navigates through both domains customdomain.com and panel.customdomain.com.

This method is working ok, and it's been working for a long time.

I guess this line is doing the trick:

response.cookies[response.session_id_name]['domain'] = 'customdomain.com'

Then, for example, from within the views of customdomain.com, I can succesfully make ajax calls to panel.customdomain.com, that is: calls to URLs that need login.

And everything work ok that way.

Is this still consider a bad practice? Or is it ok because it's the same domain?

I understand this is not web2py specific. 

I appreciate your time. 

Now I will take a look into CORS, and make some tests.

Regards,

Lisandro.

[Niphlod]

subdomains are allowed. Different domains are not. Doing what you are doing is "permitted", although it's surely not a best practice.

[Anthony]

Do you really need to share the session, or do you just need to share the login (i.e., single sign-on)? If the latter, how about using CAS instead?

Anthony

[Lisandro]

Thank you both for your answers.

I'm not sure if I only need to share the login or the session too. I will need to read more about CAS to be sure.

I don't store data at session level (I mean, data that I would then retrieve between the two different domains).

But I do need the user logs in through one app (on a subdomain), and then keep logged in when browsing main domain and subdomain.

The code I posted before is working. I understand maybe it's not the best practise, as Niphlod pointed out. 

However, should I concern about security if I keep doing it that way?

At least for the time it takes me to implement the proper way.

[Anthony]

I think you should be able to do what you want via the CAS functionality.