-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can I still use request.session in Django for embedded apps? #53
Comments
Hey @sillycube, unfortunately embedded apps are no longer allowed to use any cookies, because any cookies set by your app will be 3rd party cookies, and browsers are making it harder to use those. What you can do is use the session token that App Bridge sends when calling |
Thanks for your prompt reply. I guess you mean using sessions out of view with SessionStore. Use the id to be the key of the session. But I've been using many request.session in my view functions. It may take a lot of time to do the refactoring Comparing the benefits and costs, the non-embedded approach may be better for me. And I don't need to take care of session token auth and Django session cookie anymore. Hopefully, your team can suggest a better approach for Python / Django developers. I find it painful following session token auth, Oauth, App Bridge documentation and the sample Django app but it can't go through app review. It's just too hard to implement all of these without concrete examples. I personally spent a month studying all of them and go back and forth with the app review team. |
Thank you for that feedback, we'll take it under consideration! We've recently produced an example app using django and session tokens, so hopefully that can give you some useful insights into how they can be used. You can visit https://github.com/shopify/sample-django-app for that. |
Thanks, @paulomarg. I didn't realize that there is a new sample Django app! I still have an old Shopify app using EASDK. Shopify has asked us to upgrade it to App Bridge & Session token auth. Hope the repo can help me and the others. At a first glance, I found it quite interesting. It didn't use middleware to parse the session token as suggested by the docs. Instead, it used decorators to wrap the functions. Also, it's great to use CDNs without bundling with a build system. Can this sample app work completely without 3rd party cookie? |
Yes, I believe that app is using session tokens throughout! |
Is there any update on this as I am getting error of |
By default, Django uses cookies to store session id. If I use sessions to store data, a cookie must be used. Even I implement session token authentication (which is a must for Shopify app review now), it can't help to remove this cookie.
Does it mean that if I'm using sessions in Django, I can no longer make it as an embedded app? In other words, the app must be standalone?
I'm asking because I'm referring this repo to implement auth in an embedded app:
in def authenticate(request):
request.session['shopify_oauth_state_param'] = state
in def finalize(request):
However, I am afraid my app can't pass through app review now. Can you clarify if I can use sessions and how is it possible?
The text was updated successfully, but these errors were encountered: