On Tue, Jun 11, 2013 at 3:32 PM, Tomas Ehrlich <tomas.ehrl...@gmail.com> wrote: > Hi Marcin, > unfortunately it doesn't solve the problem. As it's said in document: > > Just like the secret keys, the SESSION_COOKIE_DOMAIN setting from > OldWebsite.com and NewWebsite.com must match if you want > to share sessions. > > ... but that's possible only when you share sessions in subdomains (eg. > SESSION_COOKIE_DOMAIN = '.domain.td' and your sites are > at sub1.domain.td, sub2.domain.td, etc.) > > > Database routing is interesting, but I have one database, one website, > which is accessed from multiple domains. The problem isn't tied to > Django nor Python, it's simply limitation of cookies. >
You could do poor man's SSO, which would be similar to your <domain>/sess/<sess_id> idea. Basically, only one of your websites can create a new empty session - we'll call this the master. If you get a client visit one of your websites, and they do not have a session on that website, you redirect them to the master website, with a parameter indicating the source website. If they already have a session on the master website, you simply redirect them to the source website with a token indicating their (existing) session id. Otherwise, you create a new session on the master website, and redirect them back to the source website, again with a token. When the user returns to the source website, extract the session id from the token, and set the appropriate cookies so that they are using that as their session. Because the session id is hidden behind an opaque token during transfer, there can be no fixation attacks. Delete the token immediately after consumption, and you minimise replay attacks. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.