Django:跨多个域维护会话 [英] Django: maintain sessions across multiple domains

问题描述

我有两个/多个域，分别是 foo.com 和 bar.com ，并且都具有相同的后端，这意味着两个域都将即将到来的请求重定向到其他地方托管的同一网络实例" .

I have two/multiple domains say, foo.com and bar.com and both have the same backend, which means both domains redirect the coming requests to same "web instance" hosted somewhere else.

如果用户登录 foo.com ，则他/她还需要登录 bar.com >以访问任何端点/URL，例如 bar.com/some/url/end-point/ .

If a user login in foo.com, he/she also need to login in bar.com in order to access any end-point/URL such as bar.com/some/url/end-point/.

SESSION_COOKIE_DOMAIN 常用模式 ，则code> 可能会执行某些操作.不幸的是，我没有.

问题
如何在多个域中维护用户会话?

The SESSION_COOKIE_DOMAIN may do something if I've the domains with a common pattern. Unfortunately, I don't.

Question
How can I maintain user sessions across multiple domains?

推荐答案

从安全角度看，这是一种风险，因为任何变通方法的一个域都可以从另一个域读取cookie.因此，出于明显的原因，这无法正常进行.

When you look at it from a security perspective this is a risk as such, where one domain by any workaround can read cookies from another domain. So for the obvious reason, this doesn't work normally.

现在，在大多数情况下，您唯一想共享的是令牌或会话ID.因此，您可以以不同的方式解决此问题

Now in most cases, the only thing you would like to share is a token or session id. So you can approach this problem in different ways

假设您的令牌是使用 example.com/auth 生成的.该网址可以返回cookie中的令牌以及json响应.然后，您还可以使该URL返回 example.org/preauth?token=XXX 的301.然后，该网址将使用令牌设置Cookie

Let's assume your token is generated using example.com/auth. This url can return the token in cookies as well as json response. You can then also make this url return a 301 to example.org/preauth?token=XXX. This url would then set the cookies with the token

因此，基本上，在这种情况下，您可以在服务器端本身处理整个方法

So basically, in this case, you can handle the whole approach at server side itself

在这种情况下，您想要做的是拥有一个像素标签网址.通过在 example.com/auth

In this case, what you want to do is have a pixel tag url. Once you have received the auth token by doing auth on example.com/auth

您将使用javascript在页面上动态添加一个图像源标签到您的其他域

You will add one image source tag on the page dynamically using javascript to your other domain

<img src='http://example.org/cookiepixel?token=yyy' /> 

这将返回将在 example.org 中而不是 example.com

This would then return the cookie which will be set in example.org instead of example.com

在这种方法中，您依赖客户端代码来确保进行跨域身份验证.

In this approach, you are dependent on client side code to make sure the cross-domain auth happens.

这篇关于Django:跨多个域维护会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！