views:

955

answers:

2

We have a couple of Django applications deployed on the same subdomain. A few power users need to jump between these applications. I noticed that each time they bounce between applications their session cookie receives a new session ID from Django.

I don't use the Django session table much except in one complex workflow. If the user bounces between applications while in this workflow they lose their session and have to start over.

I dug through the Django session code and discovered that the:

django.conf.settings.SECRET_KEY

is used to perform an integrity check on the sessions on each request. If the integrity check fails, a new session is created. Realizing this, I changed the secret key in each of these applications to use the same value, thinking this would allow the integrity check to pass and allow them to share Django sessions. However, it didn't seem to work.

Is there a way to do this? Am I missing something else?

Thanks in advance

+5  A: 

I would instead advise you to set SESSION_COOKIE_NAME to different values for the two apps. Your users will still have to log in twice initially, but their sessions won't conflict - if they log in to app A, then app B, and return to A, they'll still have their A session.

Sharing sessions between Django instances is probably not a good idea. If you want some kind of single-sign-on, look into something like django-cas. You'll still have 2 sessions (as you should), but the user will only log in once.

AdamKG
+1: move credentials around between Django sessions.
S.Lott
That's a good suggestion--I'll give it a try. For the SSO, these are internal apps that are integrated with a legacy PHP app that takes care of authentication in the PHP session, so that shouldn't be an issue. I really just need the Django apps not to stomp on each others session at this point. Thx
Joe Holloway
This did the trick. Now I feel a little silly that I didn't consider it myself :)
Joe Holloway
+3  A: 

I agree that sharing sessions between Django instances is probably not a good idea. If you really wanted to, you could:

  • make sure the two django applications share the same SECRET_KEY
  • make sure the two django applications share the same SeSSON_COOKIE_NAME
  • make sure the SESSION_COOKIE_DOMAIN is set to something that lets the two instances share cookies. (If they really share the same subdomain, your current setting is probably fine.)
  • make sure both Django instances use the same session backend (the same database, the same file directory, the same memcached config, etc.)
  • make sure that anything put into the session makes sense in both Django databases: at the very least, that'll include the user id, since Django auth uses that to remember which user is logged in.

All that said, I haven't actually tried all this, so you may still have trouble!

zellyn