Hi Tom, that's interesting approach. I'm going to use it and publish code later.
Thank you! Cheers, Tom PS: The key is the name of problem:) SSO https://github.com/ojii/django-simple-sso https://github.com/bltravis/django-token-sso Dne Wed, 12 Jun 2013 10:30:43 +0100 Tom Evans <tevans...@googlemail.com> napsal(a): > > You could do poor man's SSO, which would be similar to your > <domain>/sess/<sess_id> idea. > > Basically, only one of your websites can create a new empty session - > we'll call this the master. If you get a client visit one of your > websites, and they do not have a session on that website, you redirect > them to the master website, with a parameter indicating the source > website. > > If they already have a session on the master website, you simply > redirect them to the source website with a token indicating their > (existing) session id. > Otherwise, you create a new session on the master website, and > redirect them back to the source website, again with a token. > > When the user returns to the source website, extract the session id > from the token, and set the appropriate cookies so that they are using > that as their session. > > Because the session id is hidden behind an opaque token during > transfer, there can be no fixation attacks. Delete the token > immediately after consumption, and you minimise replay attacks. > > Cheers > > Tom > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
