在多个子域上共享Django会话的缺点 [英] Disadvantages of sharing Django sessions on multiple subdomains
问题描述
三个网站是产品网站,一个是商店。我希望能够在整个网站上共享会话,以便用户在从任何产品站点移动到商店时不必再次登录。我意识到我可以使用 cas 来实现单一登录,但我不认为这符合我的所有目的。
我已阅读这篇文章和这篇文章在跨子域上共享会话,共识似乎是一个坏主意。
在我的情况下,我希望用户能够将项目添加到一个子域中的购物车,然后继续购物车进行结帐。没有分享会话,我看不到这样做的方式。用户还应该可以从另一个产品网站添加到购物车,并且在退房时会看到来自one.mydomain.com的产品,来自two.mydomain.com等的产品。
所以我的问题是,除了潜在的冲突,分享会是一个坏主意的原因假设我确保发生的唯一的冲突(应该发生)是用户登录信息。
我的安装程序对所有网站和SESSION_COOKIE_DOMAIN共享了SECRET_KEY = '.mydomain.com来'。有没有严重的安全漏洞,我错过了这个设置?
谢谢./w
在我看来,这是一个在不控制特定域的所有子域的情况下的安全漏洞。例如,您有one.mydomain.com和two.mydomain.com,但是浏览器也会将Cookie添加到名为bad.mydomain.com的网站,因为您的设置具有SESSION_COOKIE_DOMAIN ='。mydomain.com'。
如果您将开发环境作为子域之一(例如dev.mydomain.com),则会发生另一个潜在的漏洞。如果是这样的话,你不会孤立。
就我研究过的主题而言,似乎最坏的情况会让你的cookie流氓子域名,所以可能有人可以使用这个cookie劫持一个真正的会话。
在这一刻,我正在进一步研究如何隔离不同的子域(由同一个Django实例控制) ),但是除了重写SessionMiddleware之外,似乎还没有真正的方法。
I have built a Django site using the Sites Framework and have four sites on different subdomains. Lets call them one.mydomain.com; two.mydomain.com ... etc.
Three of the sites are product sites and one is a store. I want to be able to share sessions across the sites so a user doesn't have to login again when moving from any of the product sites to the store. I realize I could use cas to achieve the single login but I don't think that meets all my purposes.
I have read this post and this post on sharing sessions across subdomains and the consensus seems to be that it is a bad idea.
In my case I want a user to be able to add items to a cart on one subdomain and then proceed to the cart to checkout. I can't see a way of doing this without sharing sessions. A user should also be able to add to their cart from another product site and when checking out would see product from one.mydomain.com, product from two.mydomain.com etc.
So my question is why is sharing sessions a bad idea apart from potential conflicts? Assuming that i'm ensuring that the only conflicts that occur (and that should occur) is user login info.
My setup has the SECRET_KEY shared for all sites and SESSION_COOKIE_DOMAIN='.mydomain.com'. Is there a serious security flaw that I'm missing with this setup?
thanks ./w
It seems to me it's a security flaw in cases when you don't control all the subdomains of a specific domain. For instance, you have one.mydomain.com and two.mydomain.com, but the browser will give your cookie also to a website called bad.mydomain.com since your settings have SESSION_COOKIE_DOMAIN='.mydomain.com'.
Another potential hole would happen if you keep your development environment as one of the subdomains (eg. dev.mydomain.com). You wouldn't be isolated if that's the case.
As far as I've researched the subject, it seems that the worst case scenario would give out your cookies to rogue subdomains, so potentially someone could hijack a real session using this cookie.
At this moment I am doing further research how to isolate different subdomains (controled by the same instance of Django) in a better way, but it seems there's no real way of doing this except rewriting the SessionMiddleware.
这篇关于在多个子域上共享Django会话的缺点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
