I have built a Django site using the Sites Framework and have four sites on different subdomains. Lets call them one.mydomain.com; two.mydomain.com ... etc.

Three of the sites are product sites and one is a store. I want to be able to share sessions across the sites so a user doesn't have to login again when moving from any of the product sites to the store. I realize I could use cas to achieve the single login but I don't think that meets all my purposes.

I have read this post and this post on sharing sessions across subdomains and the consensus seems to be that it is a bad idea.

In my case I want a user to be able to add items to a cart on one subdomain and then proceed to the cart to checkout. I can't see a way of doing this without sharing sessions. A user should also be able to add to their cart from another product site and when checking out would see product from one.mydomain.com, product from two.mydomain.com etc.

So my question is why is sharing sessions a bad idea apart from potential conflicts? Assuming that i'm ensuring that the only conflicts that occur (and that should occur) is user login info.

My setup has the SECRET_KEY shared for all sites and SESSION_COOKIE_DOMAIN='.mydomain.com'. Is there a serious security flaw that I'm missing with this setup?

thanks ./w

It seems to me it's a security flaw in cases when you don't control all the subdomains of a specific domain. For instance, you have one.mydomain.com and two.mydomain.com, but the browser will give your cookie also to a website called bad.mydomain.com since your settings have SESSION_COOKIE_DOMAIN='.mydomain.com'.

Another potential hole would happen if you keep your development environment as one of the subdomains (eg. dev.mydomain.com). You wouldn't be isolated if that's the case.

As far as I've researched the subject, it seems that the worst case scenario would give out your cookies to rogue subdomains, so potentially someone could hijack a real session using this cookie.

At this moment I am doing further research how to isolate different subdomains (controled by the same instance of Django) in a better way, but it seems there's no real way of doing this except rewriting the SessionMiddleware.

From many of the things I have read it is considered a bad idea, it seems like you may create some very hard to track down bugs if you try and share sessions between sites. As far as I know it is typically better to make things as stateless as possible.