Move login data into a separate session cookie

Question

Move login data into a separate session cookie

Closed this issue 9 years ago · 0 comments

To facilitate #166, Lastuser in production now has the following in its settings.py:

#: Session cookie domain
SESSION_COOKIE_DOMAIN = '.hasgeek.com'

This has the effect of setting the session cookie on *.hasgeek.com, thereby also making it available on the parent domain and all subdomains. As the cookie is now shared across apps, we need to be careful about a few additional things:

The SECRET_KEY setting in all subdomain apps must match.
Session variables like lastuser_userid and lastuser_sessionid must be used in exactly the same way in all apps.
All app-specific session variables, including in the Lastuser app, must have a unique prefix to prevent conflicts.

To make these easier to manage, perhaps Lastuser and Flask-Lastuser should both switch to using a different cookie, perhaps named lastuser, using the same encrypted session mechanism as Flask's session cookie. This reduces the scope for conflict. Lastuser and Flask-Lastuser can look for special config for these in the LASTUSER_SECRET_KEY and LASTUSER_COOKIE_DOMAIN config variables, falling back to the default values.