I have two/multiple domains say, foo.com
and bar.com
and both have the same backend, which means both domains redirect the coming requests to same "web instance" hosted somewhere else.
If a user login in foo.com
, he/she also need to login in bar.com
in order to access any end-point/URL such as bar.com/some/url/end-point/
.
The SESSION_COOKIE_DOMAIN
may do something if I've the domains with a common pattern. Unfortunately, I don't.
Question
How can I maintain user sessions across multiple domains?
When you look at it from a security perspective this is a risk as such, where one domain by any workaround can read cookies from another domain. So for the obvious reason, this doesn't work normally.
Now in most cases, the only thing you would like to share is a token or session id. So you can approach this problem in different ways
Let's assume your token is generated using example.com/auth
. This url can return the token in cookies as well as json response. You can then also make this url return a 301 to example.org/preauth?token=XXX
. This url would then set the cookies with the token
So basically, in this case, you can handle the whole approach at server side itself
In this case, what you want to do is have a pixel tag url. Once you have received the auth token by doing auth on example.com/auth
You will add one image source tag on the page dynamically using javascript to your other domain
<img src='http://example.org/cookiepixel?token=yyy' />
This would then return the cookie which will be set in example.org
instead of example.com
In this approach, you are dependent on client side code to make sure the cross-domain auth happens.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With