I built a Django site using Framework sites and four sites on different subdomains. Lets call them one.mydomain.com; two.mydomain.com ... etc.
Three of the sites are product sites, and one is a store. I want to be able to exchange sessions on sites so that the user cannot log in again when switching from any of the productβs sites to the store. I understand that I can use cas to achieve single sign-on, but I do not think that this meets all my goals.
I read this post and this post about sharing sessions through subdomains, and there seems to be consensus that this is a bad idea.
In my case, I want the user to be able to add items to the basket on one subdomain, and then go to the basket for verification. I see no way to do this without sharing sessions. The user should also be able to add to his cart from another product site, and during verification, a product from one .mydomain.com, a product from two.mydomain.com, etc. will be displayed.
So my question is, why is sharing sessions a bad idea besides potential conflicts? Assuming that I guarantee that the only conflicts that occur (and this should happen) are login information.
My setting has SECRET_KEY common to all sites, and SESSION_COOKIE_DOMAIN = '. mydomain.com '. Is there a serious security bug that I am missing in this setup?
thanks. / w
source share