HI Tom,
what about an openid single sign on.
there is a python package out there doing it.
openid_provider
from openid_provider.models import OpenID, TrustedRoot
and glue it together with django userena
and you have your sso.
Thanks
Frank
Am 12.06.13 13:38, schrieb Tomas Ehrlich:
Hi Tom,
that's interesting approach. I'm going to use it and publish code later.
Thank you!
Cheers,
Tom
PS: The key is the name of problem:) SSO
https://github.com/ojii/django-simple-sso
https://github.com/bltravis/django-token-sso
Dne Wed, 12 Jun 2013 10:30:43 +0100
Tom Evans <tevans...@googlemail.com> napsal(a):
You could do poor man's SSO, which would be similar to your
<domain>/sess/<sess_id> idea.
Basically, only one of your websites can create a new empty session -
we'll call this the master. If you get a client visit one of your
websites, and they do not have a session on that website, you redirect
them to the master website, with a parameter indicating the source
website.
If they already have a session on the master website, you simply
redirect them to the source website with a token indicating their
(existing) session id.
Otherwise, you create a new session on the master website, and
redirect them back to the source website, again with a token.
When the user returns to the source website, extract the session id
from the token, and set the appropriate cookies so that they are using
that as their session.
Because the session id is hidden behind an opaque token during
transfer, there can be no fixation attacks. Delete the token
immediately after consumption, and you minimise replay attacks.
Cheers
Tom
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.