Forum: Ruby on Rails Preserving sessions across domain names

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
phil (Guest)
on 2005-12-03 04:07
(Received via mailing list)
We're working on a on-line store app where the user picks items to
buy in a non-secure area, and then submits their order details in a
secure area (https://) that has a different domain name, but is the
same physical server.

Is there an easy way to preserve sessions across that jump to the
other domain?


Phil
snacktime (Guest)
on 2005-12-03 07:27
(Received via mailing list)
On 12/2/05, Philip E. <removed_email_address@domain.invalid> wrote:
>
>
> We're working on a on-line store app where the user picks items to
> buy in a non-secure area, and then submits their order details in a
> secure area (https://) that has a different domain name, but is the
> same physical server.
>
> Is there an easy way to preserve sessions across that jump to the
> other domain?

Since the session is tied to a cookie, probably not.  This is just a
guess since I haven't looked closely at how rails sessions work in
detail, but you could probably grab the session id from the cookie and
pass it to the other site, which could then use that id to get the
session object and copy whatever variables you need.

You are probably far better off not doing that though and just have
the whole order process on the same domain.

Chris
mailinglists (Guest)
on 2005-12-03 08:40
(Received via mailing list)
Philip E. wrote:

> We're working on a on-line store app where the user picks items to
> buy in a non-secure area, and then submits their order details in a
> secure area (https://) that has a different domain name, but is the
> same physical server.
>
> Is there an easy way to preserve sessions across that jump to the
> other domain?

Depending on what you mean by other domain. It's possible to share
cookies (and thus cookie-based sessions) between for example
secure.company.tld and www.company.tld. But it's not possible to
share it between first.tld and second.tld. This restrictions are due
to security reasons (so that cookies can't be read by other Web
sites) and are defined in the RFC 2109.
http://www.w3.org/Protocols/rfc2109/rfc2109

I strongly recommend using the same domain for the whole site - it
gets very complicated otherwise. What is your motivation for not
using the same domain?

Regards,
Patrice
mailinglists (Guest)
on 2005-12-03 08:40
(Received via mailing list)
Patrice Neff wrote:

> This restrictions are due to security reasons (so that cookies
> can't be read by other Web sites) and are defined in the RFC 2109.
> http://www.w3.org/Protocols/rfc2109/rfc2109

Correction: the current RFC for that is 2965 which obsoletes 2109.
http://www.ietf.org/rfc/rfc2965.txt

Patrice
phil (Guest)
on 2005-12-03 09:04
(Received via mailing list)
On Dec 2, 2005, at 10:35 PM, Patrice Neff wrote:

> Depending on what you mean by other domain. It's possible to share
> cookies (and thus cookie-based sessions) between for example
> secure.company.tld and www.company.tld. But it's not possible to
> share it between first.tld and second.tld. This restrictions are
> due to security reasons (so that cookies can't be read by other Web
> sites) and are defined in the RFC 2109.
> http://www.w3.org/Protocols/rfc2109/rfc2109
>
> I strongly recommend using the same domain for the whole site - it
> gets very complicated otherwise. What is your motivation for not
> using the same domain?


Oh, we're doing "www.myhappydomain.com" and
"secure.myhappydomain.com" (making up the domain don't bother looking
it up  ;'), so it's the same domain technically. (and same IP)  We
use different names for legacy and technical reasons (don't ask).

Still though, I've used other environments in the pass which just
pass the session ID across as a submit (GET or POST) and it
automagicly preserves the session.  I couldn't find an easy way to do
that Rails?

Thanks!


Phil
mailinglists (Guest)
on 2005-12-03 09:49
(Received via mailing list)
Philip E. wrote:

> Oh, we're doing "www.myhappydomain.com" and
> "secure.myhappydomain.com" (making up the domain don't bother
> looking it up  ;'), so it's the same domain technically. (and same
> IP)  We use different names for legacy and technical reasons (don't
> ask).
>
> Still though, I've used other environments in the pass which just
> pass the session ID across as a submit (GET or POST) and it
> automagicly preserves the session.  I couldn't find an easy way to
> do that Rails?

You can change the cookie options by setting paramters of
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS. According to
http://wiki.rubyonrails.com/rails/pages/HowtoChang... the
key for setting the domain is "session_domain". So try the following
code in your production environment (environments/production.rb):
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update
(:session_domain => ".myhappydomain.com")

Please tell me if this works.

Regards,
Patrice Neff
dee.zsombor (Guest)
on 2005-12-03 10:26
(Received via mailing list)
Phil,

What you need is to set the rails session cookie to .myhappydomain.com
instead of the default myhappydomain.com. You should do this anyway as
you
would want to preserve the sessions regardless if the users types your
domain with www or without.

Put the following code to conf/enviroments/production.rb

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(
:session_domain => '.myhappydomain.com')

HTH,
Zsombor

--
Company  - http://primalgrasp.com
Glu4You  - http://suprglu.com
Thoughts - http://deezsombor.blogspot.com
phil (Guest)
on 2005-12-03 21:39
(Received via mailing list)
On Dec 2, 2005, at 11:47 PM, Patrice Neff wrote:

>> automagicly preserves the session.  I couldn't find an easy way to
>
> Please tell me if this works.

Thanks.  Seems simple enough.

Unfortunately, I won't be able to try it until we go live since this
is an upgrade to the old site.  I'm concerned that this may depend
too much on browser/security settings and other client-side details.
Since this would break the shopping process (the most important part)
if it didn't work, it would still be very bad if it didn't work for a
minority of folks.  It also makes testing on a dev server a little
trickier, too.

In other development environments, I've 'bridged the gap' by
submitting the session id to the other domain, which forces the
session, if needed.  No Rails magic here to do the same?


Phil
snacktime (Guest)
on 2005-12-03 23:31
(Received via mailing list)
On 12/3/05, Philip E. <removed_email_address@domain.invalid> wrote:
> >>
> > production.rb):
> > ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update
> > (:session_domain => ".myhappydomain.com")
> >
> > Please tell me if this works.
>
> Thanks.  Seems simple enough.
>
> Unfortunately, I won't be able to try it until we go live since this
> is an upgrade to the old site.  I'm concerned that this may depend
> too much on browser/security settings and other client-side details.

It doesn't.  But your problem is that even though your sites are all
on the same domain, one is served via ssl and the other is not.
Cookies won't persist from a non ssl url to an ssl url.

Chris
This topic is locked and can not be replied to.