4

I've recently added some new subdomains (e.g x.example.com) to my django site (all under the same app), and I'd like users to stay logged in across these subdomains.

According to the Django docs, I can simply set the SESSION_COOKIE_DOMAIN setting to be ".example.com" to do this, but the docs mention this warning:

Be cautious when updating this setting on a production site. If you update this setting to enable cross-domain cookies on a site that previously used standard domain cookies, existing user cookies will be set to the old domain. This may result in them being unable to log in as long as these cookies persist.

Given that I'm currently using standard domain cookies, this certainly applies to me! However, the docs offer no solution.

How can I switch the SESSION_COOKIE_DOMAIN to be cross-domain without messing up my existing users' sessions (and ideally, without forcing them to log out)?

Tristan
  • 413
  • 1
  • 6
  • 10
  • 1
    Take a look here https://stackoverflow.com/questions/2116860/django-session-cookie-domain-with-multiple-domains – T.Tokic Apr 14 '18 at 23:51
  • 1
    @T.Tokic The answers there just seem to suggest using `SESSION_COOKIE_DOMAIN = ".example.com"`, I believe. I know that I need to do that; my question is specifically about how to switch to that setting without my existing users"being unable to log in", as the django docs mention will happen. – Tristan Apr 15 '18 at 19:53

1 Answers1

4

To gracefully change the SESSION_COOKIE_DOMAIN, without existing users getting affected, you can change the SESSION_COOKIE_NAME to a new name. By default, it is set to sessionid. If you set this to some other name like newsessionid, all the existing users will have to re-login, since the new cookie will not be present in their requests.

Read more about this in the Django docs SESSION_COOKIE_NAME.

GunnerFan
  • 3,576
  • 3
  • 25
  • 38