In django, can I prevent attacker from re-using a session from one domain to gain access to another domain?

I have a django project serving two different purposes. On one subdomain, let's call it public.example.com, I allow unprivileged users to access a portal to edit their profile and settings. On another domain, private.example.com, I give the user access to some management functions.

I have the default django session cookie settings, so when I log in to public.example.com and then try accessing private.example.com, I get redirected to a login page. This is normal and expected because the browser will not send the session cookie to any domain other than public.example.com.

If I copy the session cookie that is sent to public.example.com and tamper with the request made to private.example.com so that I send the public cookie to the private domain, django responds with a 200 OK answer and renders the page as if I am a user that has logged in to that domain.

I can not find any documentation that tells me that sessions are limited to the domains that they originated from, other than the default browser behaviour of limiting cookies to their respective domains.

Is it possible to prevent such unwanted access without serving the project on two different instances with two different databases?

Back to Top