In django, can I prevent attacker from re-using a session from one domain to gain access to another domain?
I have a django project serving two different purposes. On one subdomain, let's call it
public.example.com, I allow unprivileged users to access a portal to edit their profile and settings.
On another domain,
private.example.com, I give the user access to some management functions.
I have the default django session cookie settings, so when I log in to
public.example.com and then try accessing
private.example.com, I get redirected to a login page. This is normal and expected because the browser will not send the session cookie to any domain other than
If I copy the session cookie that is sent to
public.example.com and tamper with the request made to
private.example.com so that I send the
public cookie to the
private domain, django responds with a 200 OK answer and renders the page as if I am a user that has logged in to that domain.
I can not find any documentation that tells me that sessions are limited to the domains that they originated from, other than the default browser behaviour of limiting cookies to their respective domains.
Is it possible to prevent such unwanted access without serving the project on two different instances with two different databases?