We are using SSO, and noticed that users on our Live server were being matched up to Disqus users created by our Testing server. When I asked Disqus about this they replied with this:
The remote SSO domain is actually shared between all shortnames under a single account. Assuming you're passing the same ID's from both sites, they're "crossing streams" in the same database. Sorry if this wasn't clear before — we generally recommend appending the shortname to the ID if you think they might conflict. So for these production users, you will want to quickly change the ID schema to be something like '12345production' (12345 being your intended ID).
The obvious fix is to use different account for testing and prod, but we have several prod sites that use the same Disqus account, so if they all start using SSO, this would be a major security problem. We should change the User ID that is passed to Disqus to have the site shortname appended to it.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | disqus-sso-1496500-2.patch | 533 bytes | mdorrell |
Comments
Comment #1
robloachWhen in testing, append a "_sitename" to the uid that's passed to Disqus?
Comment #2
mdorrell commentedYeah, thats what I mean. I prepended the sitename, since it seems cleaner. I have attached a patch for the 6.x-1.8 version, since that is what I'm working off of. Be careful if you change this on a system that has already been connected to Disqus, users will have to reconnect the account SSO creates to their real account.