Django:跨多个域维护会话 [英] Django: maintain sessions across multiple domains
问题描述
我有两个/多个域,分别是 foo.com
和 bar.com
,并且都具有相同的后端,这意味着两个域都将即将到来的请求重定向到其他地方托管的同一网络实例" .
I have two/multiple domains say, foo.com
and bar.com
and both have the same backend, which means both domains redirect the coming requests to same "web instance" hosted somewhere else.
如果用户登录 foo.com
,则他/她还需要登录 bar.com
>以访问任何端点/URL,例如 bar.com/some/url/end-point/
.
If a user login in foo.com
, he/she also need to login in bar.com
in order to access any end-point/URL such as bar.com/some/url/end-point/
.
SESSION_COOKIE_DOMAIN 如果我的网域具有 常用模式 ,则code>
可能会执行某些操作.不幸的是,我没有.
问题
如何在多个域中维护用户会话?
The SESSION_COOKIE_DOMAIN
may do something if I've the domains with a common pattern. Unfortunately, I don't.
Question
How can I maintain user sessions across multiple domains?
推荐答案
从安全角度看,这是一种风险,因为任何变通方法的一个域都可以从另一个域读取cookie.因此,出于明显的原因,这无法正常进行.
When you look at it from a security perspective this is a risk as such, where one domain by any workaround can read cookies from another domain. So for the obvious reason, this doesn't work normally.
现在,在大多数情况下,您唯一想共享的是令牌或会话ID.因此,您可以以不同的方式解决此问题
Now in most cases, the only thing you would like to share is a token or session id. So you can approach this problem in different ways
假设您的令牌是使用 example.com/auth
生成的.该网址可以返回cookie中的令牌以及json响应.然后,您还可以使该URL返回 example.org/preauth?token=XXX
的301.然后,该网址将使用令牌设置Cookie
Let's assume your token is generated using example.com/auth
. This url can return the token in cookies as well as json response. You can then also make this url return a 301 to example.org/preauth?token=XXX
. This url would then set the cookies with the token
因此,基本上,在这种情况下,您可以在服务器端本身处理整个方法
So basically, in this case, you can handle the whole approach at server side itself
在这种情况下,您想要做的是拥有一个像素标签网址.通过在 example.com/auth
In this case, what you want to do is have a pixel tag url. Once you have received the auth token by doing auth on example.com/auth
您将使用javascript在页面上动态添加一个图像源标签到您的其他域
You will add one image source tag on the page dynamically using javascript to your other domain
<img src='http://example.org/cookiepixel?token=yyy' />
这将返回将在 example.org
中而不是 example.com
This would then return the cookie which will be set in example.org
instead of example.com
在这种方法中,您依赖客户端代码来确保进行跨域身份验证.
In this approach, you are dependent on client side code to make sure the cross-domain auth happens.
这篇关于Django:跨多个域维护会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!