Document / support limiting session cookie to configured hosts?

[abeld]

I'm not sure how common my is my usecase, but I use django-hosts to allow having an admin page under a subdomain (admin.example.com), with a main app page on another subdomain (app.example.com). (The main domain, example.com is a wordpress-based marketing webpage hosted entirely seperately.

One (low-severity) issue raised during a penetration test audit was that the session cookie for the webapp is set to be valid for the entire example.com (so that it will work for both admin.example.com and app.example.com.), and it would more prudent to limit this to the actually used subdomains, for example to avoid it being in-scope for the marketing site at example.com, or for some_other_random_subdomain.example.com.

Trying to look into how to accomplish this appears to show that stock django cannot handle setting multiple subdomains as the scope of the session cookie. (Since only a single domain can be specified with SESSION_COOKIE_DOMAIN in settings.py. There are third-party solutions, for example https://ittone.ma/ittone/django-session_cookie_domain-with-multiple-domains/

I would suggest either adding some support (for example merging what the above-linked example does to HostsResponseMiddleware) or documenting how to set up (which third-party solution works best, etc.)