Django sessions being removed when redirecting from another domain

Question

Django sessions being removed when redirecting from another domain

When a user visits my domain, sessionid is issued by django. When he tries to make Oauth with Facebook, he clicks a button on my site that redirects to Facebook.com. Facebook redirects back to my domain, but at the moment the user session is lost, and Django seems to be issuing a new session variable.

I want the pending session to be saved because I have to link the visitor to my site with my Facebook account, but when the session is deleted, the user registered in the system will log out.

I have a suspicion that this might be a behavior related to django XSS security. How to make user information saved when a user leaves our site to log in to Facebook?

+7

django oauth

Mark Sep 2 '10 at 15:25

source share

2 answers

I also just found that if you have two Django applications running in the same domain, to avoid cookie collisions, you can set SESSION_COOKIE_NAME differently for each.

+2

slinkp Oct 25 '11 at 19:31

source share

Jordan reiter · Accepted Answer · 2010-09-02T17:21:46+0000

You might want to confirm that cookies have the same domain at creation. This can sometimes cause problems. If you go to www.example.com and OAuth callbacks on example.com, then you may have two separate cookies, one for www.example.com and one for example.com

Turn on Always Ask in your browser and pay attention to the details of the cookie. Verify that the value for the Host: field is the same both times.

The fix introduces something like .example.com for SESSION_COOKIE_DOMAIN in your settings.py file.

Django sessions being removed when redirecting from another domain

More articles: