2

I need to clarify a fundamental concept (beginner here).

In a Django web app I maintain, I notice that if one logs in via going to example.com, they remain logged out on www.example.com (and can then go on to create a clone account).

1) Why does this happen?

2) What's the standard practice to iron out this issue? I.e., give one consistent experience across www and no-www.

In case the answer is as basic as just a redirection, I could use some pointers and an illustrative example there too - I'm using nginx reverse proxy with gunicorn.

Hassan Baig
  • 15,055
  • 27
  • 102
  • 205
  • I don't think any client-side stuff will prevent users from registering clone accounts, that has more to do with your models and views rather than cookies or auth stuff – arielnmz Jul 25 '17 at 19:19
  • also what are you doing to log the users in? are you using the builtin views or is it a custom login? – arielnmz Jul 25 '17 at 19:21
  • In the context of this question, cloning is just an observation - we can disregard it. – Hassan Baig Jul 25 '17 at 19:22
  • I rely on `django.contrib.auth` (i.e. inbuilt stuff from the Django framework). – Hassan Baig Jul 25 '17 at 19:22
  • unless you somehow rely on the contents of a cookie to set the username of new users, there is no reason why users would create clone accounts – arielnmz Jul 25 '17 at 19:26

1 Answers1

1

1 ) Django cookies do not work for same with a prepended www and non-www domain by default.Django considers it as a different sessions.

2) The PREPEND_WWW setting you can set to redirect your xyz.com to www.xyz.com.

PREPEND_WWW = True

or if you need same cookie to both of the sites you can use session_cookie_domain,

SESSION_COOKIE_DOMAIN = ".yoursite.com"
Aniket Pawar
  • 2,641
  • 19
  • 32
  • Yes that what django document says,Set it to a string such as ".example.com" (note the leading dot!) for cross-domain cookies, or use None for a standard domain cookie. – Aniket Pawar Jul 25 '17 at 19:17
  • **1)** Is it standard practice to have `www` or to not have it? **2)** Some resources point out that such redirection should happen on the webserver level (nginx in my case). Is the approach you've defined better/worse than that? – Hassan Baig Jul 25 '17 at 19:17
  • It does not matter what you use www or not www , but when you decided one of them you have to be consistent because of SEO purpose. – Aniket Pawar Jul 25 '17 at 19:21
  • but many major live projects use www to appended such as instagram and facebook – Aniket Pawar Jul 25 '17 at 19:22
  • Thanks for the information. Lastly, what would you suggest to be the best way to make this change, with the least amount of disturbance for existing users? – Hassan Baig Jul 25 '17 at 19:34
  • i would suggest redirect all url hits to www prepended url – Aniket Pawar Jul 25 '17 at 19:35
  • For the record, I ended up implementing this solution instead: https://stackoverflow.com/a/29811817/4936905. I actually wanted to take the `no WWW` route. – Hassan Baig Jul 25 '17 at 22:32