I have a website built by someone else with ruby-on-rails, and I'm now building a django application.
我有一个由其他人用ruby-on-rails构建的网站,我现在正在构建一个django应用程序。
I need my users to sign in with my sign-in page built on django and surf my django pages (so far - easy to do) but I also need to add links on the sidebar to that RoR application (and from there they will be able to come back to my app).
我需要我的用户使用我在django上构建的登录页面登录并浏览我的django页面(到目前为止 - 很容易做到)但我还需要在侧边栏上添加链接到该RoR应用程序(从那里他们将是能够回到我的应用程序)。
The users shouldn't know that they are "leaving" the django app - for them its one website - that RoR app looks and feels the same for them.
用户不应该知道他们正在“离开”django应用程序 - 对于他们的一个网站 - RoR应用程序看起来和他们感觉相同。
A. How can I do this?
B. They sign in with the django app so the sessions and all user stuff will be managed by django. How can I "pass" sessions to the RoR app? Should I use iframe??
C. How do the links in django to the RoR url look like?
A.我怎么能这样做? B.他们使用django应用程序登录,因此会话和所有用户资料将由django管理。如何将会话“传递”到RoR应用程序?我应该使用iframe吗? C. django中链接到RoR url的样子怎么样?
Thank you guys!
感谢你们!
2 个解决方案
#1
2
The best practice here would be to look to how advertising networks share state across multiple properties. One commonly used method is a tracking pixel. For example, in your Django app, embed:
这里的最佳做法是查看广告网络如何跨多个属性共享状态。一种常用的方法是跟踪像素。例如,在您的Django应用程序中,嵌入:
<img src="http://myrailsapp/mysession_creator" />
Make sure that your rails app responds at that address with a session. That will establish a session cookie on the rails domain.
确保您的rails应用程序使用会话响应该地址。这将在rails域上建立会话cookie。
Now to layer on security, and it depends on what level of security you need. You could pass in information, like:
现在分层安全性,它取决于您需要什么级别的安全性。您可以传递信息,例如:
<img src="http://myrailsapp/mysession_creator?user=myUserName" />
Obviously not incredibly secure, but it depends on your app. A more secure method would be:
显然不是非常安全,但这取决于你的应用程序。一种更安全的方法是:
<img src="http://myrailsapp/mysession_creator?t=<MD5HashTokenHere>" />
Then the Rails app would have a mechanism of validating that token against the Django app server side (either through database state or a server side application call.) More work, but more secure.
然后Rails应用程序将有一个机制来验证Django应用服务器端的令牌(通过数据库状态或服务器端应用程序调用。)更多的工作,但更安全。
Another method, if your applications share a root domain, you can use a secure cookie on the root domain to pass information between applications. For example, https://django.myapp.com sets a myapp.com cookie, and https://rails.myapp.com knows to look for a "username" cookie. Requires a wildcard SSL cert on the root domain.
另一种方法是,如果您的应用程序共享根域,则可以使用根域上的安全cookie在应用程序之间传递信息。例如,https://django.myapp.com设置了myapp.com cookie,https://rails.myapp.com知道要查找“用户名”cookie。在根域上需要通配符SSL证书。
Another option is to pass the token or login information with every link to the Rails app, and have a before_filter that recognizes the hand off and establishes the session in a similar way.
另一种选择是通过每个链接传递令牌或登录信息到Rails应用程序,并有一个识别切换的before_filter并以类似的方式建立会话。
#2
0
I'm not sure if this will work, but we did this before using 2 rails apps.
我不确定这是否可行,但我们在使用2个rails应用之前就这样做了。
Make sure the session keys in Rails and in your django app are the same.
确保Rails和django应用程序中的会话密钥相同。
In Rails, it'll probably look like this:
在Rails中,它可能看起来像这样:
ActionController::Base.session = {
:key => '_my_session_key',
:secret => '_my_session_secret'
}
In Django, a quick google led me to this:
在Django,一个快速谷歌引导我到这个:
https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY
I think once those are the same, the two apps will share the same session.
我认为一旦这些相同,这两个应用程序将共享同一个会话。
#1
2
The best practice here would be to look to how advertising networks share state across multiple properties. One commonly used method is a tracking pixel. For example, in your Django app, embed:
这里的最佳做法是查看广告网络如何跨多个属性共享状态。一种常用的方法是跟踪像素。例如,在您的Django应用程序中,嵌入:
<img src="http://myrailsapp/mysession_creator" />
Make sure that your rails app responds at that address with a session. That will establish a session cookie on the rails domain.
确保您的rails应用程序使用会话响应该地址。这将在rails域上建立会话cookie。
Now to layer on security, and it depends on what level of security you need. You could pass in information, like:
现在分层安全性,它取决于您需要什么级别的安全性。您可以传递信息,例如:
<img src="http://myrailsapp/mysession_creator?user=myUserName" />
Obviously not incredibly secure, but it depends on your app. A more secure method would be:
显然不是非常安全,但这取决于你的应用程序。一种更安全的方法是:
<img src="http://myrailsapp/mysession_creator?t=<MD5HashTokenHere>" />
Then the Rails app would have a mechanism of validating that token against the Django app server side (either through database state or a server side application call.) More work, but more secure.
然后Rails应用程序将有一个机制来验证Django应用服务器端的令牌(通过数据库状态或服务器端应用程序调用。)更多的工作,但更安全。
Another method, if your applications share a root domain, you can use a secure cookie on the root domain to pass information between applications. For example, https://django.myapp.com sets a myapp.com cookie, and https://rails.myapp.com knows to look for a "username" cookie. Requires a wildcard SSL cert on the root domain.
另一种方法是,如果您的应用程序共享根域,则可以使用根域上的安全cookie在应用程序之间传递信息。例如,https://django.myapp.com设置了myapp.com cookie,https://rails.myapp.com知道要查找“用户名”cookie。在根域上需要通配符SSL证书。
Another option is to pass the token or login information with every link to the Rails app, and have a before_filter that recognizes the hand off and establishes the session in a similar way.
另一种选择是通过每个链接传递令牌或登录信息到Rails应用程序,并有一个识别切换的before_filter并以类似的方式建立会话。
#2
0
I'm not sure if this will work, but we did this before using 2 rails apps.
我不确定这是否可行,但我们在使用2个rails应用之前就这样做了。
Make sure the session keys in Rails and in your django app are the same.
确保Rails和django应用程序中的会话密钥相同。
In Rails, it'll probably look like this:
在Rails中,它可能看起来像这样:
ActionController::Base.session = {
:key => '_my_session_key',
:secret => '_my_session_secret'
}
In Django, a quick google led me to this:
在Django,一个快速谷歌引导我到这个:
https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY
I think once those are the same, the two apps will share the same session.
我认为一旦这些相同,这两个应用程序将共享同一个会话。