Shared Security between Django and Joomla (Overview)
When a user visits a Joomla site they are given a session cookie. The cookie's name is a unique hash of the site name. Every visitor to the site will receive a cookie with the same name. If that user is logged into Joomla this cookie's value will correspond to a session_id stored in the Joomla slhdb_session table.
In order to use Joomla as the login/authentication layer for Django we must write our own Django authentication back-end. This custom back-end will:
- Inspect the client's domain cookies, looking for the Joomla session cookie
- Query the Joomla session table for the client's session cookie value.
- Login to Django and create a Django User record (if this is the first time this user has logged in)
- Create Django session
If any of the above steps fail, Django must redirect to the Joomla login page in order for the client to authenticate.
Once successfully logged in, Django should store info about our Joomla session in Django's built in Session variable dictionary structure.
On each Django request we will now:
- Validate the Django session cookie and record
- Query the Session dictionary data for your Joomla User and Session info
- Inspect the clients domain cookies and make sure that the Joomla session matches the cookie value
If any of the above steps fail, Django must redirect to the Joomla login page in order for the client to authenticate.
This method will ensure that each Django view request is authenticated against Joomla (assuming each view has the authentication decorator) and only requires querying the Joomla DB one initial time on login. No session ID's are stored in the URL, thus preventing referrer hacks. The only data that is ever stored locally is the session ID within both the Django and Joomla cookies. No local data tampering is possible.
- If the Django cookie disappears or is tampered with, the next Django request will automatically destroy the existing cookie and create a new valid Django cookie based on the valid Joomla session cookie.
- If the Joomla cookie disappears or is tampered with, the next Django request will fail and the user will immediately be kicked out to Joomla login page.
Comments (7)
Hi, we are solving the same problem. Our way is also creating custom auth backend. Can You share a code ? Maybe we can help to make it better.
Ivan
This sounds like a great idea. Have you written any code for this yet? If so please let me know where i can get it.
Thanks
Hi Dusty, I'll email you about this directly.
So.. have you written this auth backend? I'm not much of a coder (in fact, I'm not a coder at all!) but actually need to do this...
so, if you have, is there any chance of grabbing a copy? ;) Cheers!
I'm using joomla 1.0.* so maybe it's the reason...
Are you sure you are comparing against the cookie's value and not the name? They are both hash's but for example my current cookie name on this site is:
bbd47bea5574b724cb98a3e9ea5ee54e
And his value is:
ac5d5bbsecretstuffa3bdc2832734a6
If I look in my db_session table I see a record who's session_id value equals my cookie's value. From that I can of course link to the user table and anything else.
Hi,
I'm writing a context processor in django which auto-log in logged user from joomla between joo.domain.com and django.domain.com
The only thing I can't get is the session_id in the joomla cookie, I get a (md5) value which does not correspond to the stored value in the database.
If you know how to retrieve it, please let me know.
Thank you