Hello everyone!
I’m working with multiple subdomains in my Django application and have encountered a security concern regarding session cookies.
Currently, I understand that Django’s SESSION_COOKIE_DOMAIN setting offers two main options:
- Set it to
None (default): Cookies are issued for the specific hostname that received the request
- Set it to a domain (e.g.,
.example dot com): Cookies are shared across all subdomains
While the first option prevents browsers from automatically sharing cookies between subdomains (e.g., sub1 dot example dot com and sub2 dot example dot com), a user can still manually copy their session cookie from one subdomain and paste it into another to gain authenticated access to either subdomain.
Is there a built-in Django way or a simple configuration option (without requiring custom middleware) to make session cookies truly unique to each subdomain? Ideally, a session cookie created on sub1 dot example dot com would be invalid if used on sub2 dot example dot com, even if manually transferred.
Any suggestions or insights would be greatly appreciated!
Thank you!
Hello there, is this a security question?
It looks like you’re affraid of an user gain unauthorized access through another authenticated domain. This tipically is the case you want to avoid on a multi-tenant architecture.
If that’s the case, then I would write a custom middleware to do that kind of verification. Like having a tenant attribute on the user, and validating the domain being accessed.
If not, then what you want to achieve?
HI! Thanks for your reply.
Yea, I found out that the session dictionary contains a host key, which was bound to the host where the session was created, so I had to settle for writing a middleware that checked this key and block cross sub domain requests. However, my request was regarding whether Django had a config that addressed this out of the box.
Re-reading the documentation I have found a way of achieving such functionality.
In your user model, you can define the get_session_auth_hash method that is documented on session invalidation on password change.
You can use some attribute of your User model to store the latest domain logged in, and on your login view, store the latest domain logged-in. This would make that the previous session is only valid for that domain.