Can I still use request.session in Django for embedded apps?

[sillycube]

By default, Django uses cookies to store session id. If I use sessions to store data, a cookie must be used. Even I implement session token authentication (which is a must for Shopify app review now), it can't help to remove this cookie.

Does it mean that if I'm using sessions in Django, I can no longer make it as an embedded app? In other words, the app must be standalone?

I'm asking because I'm referring this repo to implement auth in an embedded app:
in def authenticate(request):
request.session['shopify_oauth_state_param'] = state

in def finalize(request):

if request.session['shopify_oauth_state_param'] != params['state']:
       messages.error(request, 'Anti-forgery state token does not match the initial request.')

However, I am afraid my app can't pass through app review now. Can you clarify if I can use sessions and how is it possible?

[paulomarg]

Hey @sillycube, unfortunately embedded apps are no longer allowed to use any cookies, because any cookies set by your app will be 3rd party cookies, and browsers are making it harder to use those.

What you can do is use the session token that App Bridge sends when calling authenticatedFetch to store a session in your server. You can parse the JWT token in the Authorization: Bearer HTTP header and use e.g. the shop (dest) and user (sub) fields from the payload to create a unique id and store your session data based on that id.

[sillycube]

Thanks for your prompt reply. I guess you mean using sessions out of view with SessionStore. Use the id to be the key of the session. But I've been using many request.session in my view functions. It may take a lot of time to do the refactoring

Comparing the benefits and costs, the non-embedded approach may be better for me. And I don't need to take care of session token auth and Django session cookie anymore.

Hopefully, your team can suggest a better approach for Python / Django developers. I find it painful following session token auth, Oauth, App Bridge documentation and the sample Django app but it can't go through app review. It's just too hard to implement all of these without concrete examples. I personally spent a month studying all of them and go back and forth with the app review team.

[paulomarg]

Thank you for that feedback, we'll take it under consideration! We've recently produced an example app using django and session tokens, so hopefully that can give you some useful insights into how they can be used.

You can visit https://github.com/shopify/sample-django-app for that.

[sillycube]

Thanks, @paulomarg. I didn't realize that there is a new sample Django app! I still have an old Shopify app using EASDK. Shopify has asked us to upgrade it to App Bridge & Session token auth. Hope the repo can help me and the others.

At a first glance, I found it quite interesting. It didn't use middleware to parse the session token as suggested by the docs. Instead, it used decorators to wrap the functions. Also, it's great to use CDNs without bundling with a build system.

Can this sample app work completely without 3rd party cookie?

[paulomarg]

Yes, I believe that app is using session tokens throughout!

[keshav-1504]

Is there any update on this as I am getting error of protected customer permission when i run : sample django app