9

I am facing a big problem with my sessions in a Django project.

The back-end is hosted at .my-domain.org and the front-end consumes the REST API of the back-end at .front-end.com. In the future, other front-ends on completely different domains might appear.

How do I deal with such a situation when I use the session framework provided by Django? It seems like SESSION_COOKIE_DOMAIN only allows session cookies to be set on one subdomain. The result is that if I want to be able to login at .my-domain.org (i.e., SESSION_COOKIE_DOMAIN = None) then I am not able to receive the session cookie back from .front-end.com when it calls API endpoints. On the other hand, setting SESSION_COOKIE_DOMAIN to .front-end.com would prevent me to connect to the site admin. The situation is also impacted by SESSION_COOKIE_PATH of course...

Any help is more than welcome. I am quite sure I'm not the first one who needs a REST API with session authentication to be accessible from external domains.

Buddyshot
  • 1,614
  • 1
  • 17
  • 44
  • 1
    I don't have a short answer for this but the problem you're trying to solve is probably in the realm of 'single sign-on' (or 'SSO')... these might help http://stackoverflow.com/q/4662348/202168 https://code.google.com/p/django-sso/ – Anentropic Nov 30 '14 at 19:45
  • 1
    Do you _have_ to use the session framework? You're going to run into challenges with CORS/JSONP, do you really want to introduce the challenge of CSRF as well? I would recommend looking into OAuth 2 or `TokenAuthentication` if possible. – Kevin Brown-Silva Nov 30 '14 at 21:32

1 Answers1

3

Django uses cookies for session-based authentication, and those cannot typically be set across multiple domains. While you can work around this slightly with CORS and withCredentials, this may be blocked by default in some browsers.

You are generally better off working with another authentication method when working across domains. Even if you are able to get CORS to work with cookies, you will also have to battle CSRF across domains, which Django REST Framework points out in their documentation. I would recommend OAuth 2 because of the wide client support and the support within Django REST Framework for it, but others have used TokenAuthentication without issues.

When using OAuth, you will need to set up your front end as a client and use the web authentication flow for authentication, as otherwise you are leaving private keys out in the open, which doesn't end well. This will work in a similar way to "single sign-on", but without requiring your front end to sign requests and hold private keys. You also won't need to bother with CSRF, as Django REST Framework only requires it for SessionAuthentication.

Community
  • 1
  • 1
Kevin Brown-Silva
  • 40,873
  • 40
  • 203
  • 237
  • I'm indeed considering a move to OAuth2 as it seems to be the smartest choice from what I've read so far. – Buddyshot Dec 19 '14 at 18:57