Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Django: maintain sessions across multiple domains

Tags:

I have two/multiple domains say, foo.com and bar.com and both have the same backend, which means both domains redirect the coming requests to same "web instance" hosted somewhere else.


Current Behaviour

If a user login in foo.com, he/she also need to login in bar.com in order to access any end-point/URL such as bar.com/some/url/end-point/.


The SESSION_COOKIE_DOMAIN may do something if I've the domains with a common pattern. Unfortunately, I don't.

Question
How can I maintain user sessions across multiple domains?

like image 698
JPG Avatar asked Jun 19 '19 03:06

JPG


1 Answers

When you look at it from a security perspective this is a risk as such, where one domain by any workaround can read cookies from another domain. So for the obvious reason, this doesn't work normally.

Now in most cases, the only thing you would like to share is a token or session id. So you can approach this problem in different ways

Re-direction of the auth

Let's assume your token is generated using example.com/auth. This url can return the token in cookies as well as json response. You can then also make this url return a 301 to example.org/preauth?token=XXX. This url would then set the cookies with the token

So basically, in this case, you can handle the whole approach at server side itself

Using pixel tags

In this case, what you want to do is have a pixel tag url. Once you have received the auth token by doing auth on example.com/auth

You will add one image source tag on the page dynamically using javascript to your other domain

<img src='http://example.org/cookiepixel?token=yyy' /> 

This would then return the cookie which will be set in example.org instead of example.com

In this approach, you are dependent on client side code to make sure the cross-domain auth happens.

like image 161
Tarun Lalwani Avatar answered Sep 29 '22 02:09

Tarun Lalwani