Logo
Blog: Shared Security between Django and Joomla (Overview)

When a user visits a Joomla site they are given a session cookie. The cookie's name is a unique hash of the site name. Every visitor to the site will receive a cookie with the same name. If that user is logged into Joomla this cookie's value will correspond to a session_id stored in the Joomla slhdb_session table.

In order to use Joomla as the login/authentication layer for Django we must write our own Django authentication back-end . This custom back-end will:

  1. Inspect the client's domain cookies, looking for the Joomla session cookie
  2. Query the Joomla session table for the client's session cookie value.
  3. Login to Django and create a Django User record (if this is the first time this user has logged in)
  4. Create Django session

If any of the above steps fail, Django must redirect to the Joomla login page in order for the client to authenticate.

Once successfully logged in, Django should store info about our Joomla session in Django's built in Session variable dictionary structure .

On each Django request we will now:

  1. Validate the Django session cookie and record
  2. Query the Session dictionary data for your Joomla User and Session info
  3. Inspect the clients domain cookies and make sure that the Joomla session matches the cookie value

If any of the above steps fail, Django must redirect to the Joomla login page in order for the client to authenticate.

This method will ensure that each Django view request is authenticated against Joomla (assuming each view has the authentication decorator) and only requires querying the Joomla DB one initial time on login. No session ID's are stored in the URL, thus preventing referrer hacks. The only data that is ever stored locally is the session ID within both the Django and Joomla cookies. No local data tampering is possible.

  1. If the Django cookie disappears or is tampered with, the next Django request will automatically destroy the existing cookie and create a new valid Django cookie based on the valid Joomla session cookie.
  2. If the Joomla cookie disappears or is tampered with, the next Django request will fail and the user will immediately be kicked out to Joomla login page.

Blog Index