1👍
It seems to me it’s a security flaw in cases when you don’t control all the subdomains of a specific domain. For instance, you have one.mydomain.com and two.mydomain.com, but the browser will give your cookie also to a website called bad.mydomain.com since your settings have SESSION_COOKIE_DOMAIN=’.mydomain.com’.
Another potential hole would happen if you keep your development environment as one of the subdomains (eg. dev.mydomain.com). You wouldn’t be isolated if that’s the case.
As far as I’ve researched the subject, it seems that the worst case scenario would give out your cookies to rogue subdomains, so potentially someone could hijack a real session using this cookie.
At this moment I am doing further research how to isolate different subdomains (controled by the same instance of Django) in a better way, but it seems there’s no real way of doing this except rewriting the SessionMiddleware.
0👍
From many of the things I have read it is considered a bad idea, it seems like you may create some very hard to track down bugs if you try and share sessions between sites. As far as I know it is typically better to make things as stateless as possible.
- [Django]-Django – How to update a field inside a model save() method?
- [Django]-Django Test – South migration reports 'no such table' but I can see said table in the db