Forcing the session-id

Philip_E · December 13, 2005, 9:43pm

We’re going to have problems keeping cookies across domains. We want
people to shop in one domain (e.g. “booksareus.com”) and then checkout
on the same server securely under a different domain (e.g.
“greatbooks.com”). When we make the jump to the secure domain (the
checkout link) can we submit the user’s session ID along with it and
have it ‘stick’ somehow so we don’t lose their cart?

Thanks!

Phil

Philip_E · December 14, 2005, 1:00am

Hi !

2005/12/13, Philip E. [email protected]:

We’re going to have problems keeping cookies across domains. We want
people to shop in one domain (e.g. “booksareus.com”) and then checkout
on the same server securely under a different domain (e.g.
“greatbooks.com”). When we make the jump to the secure domain (the
checkout link) can we submit the user’s session ID along with it and
have it ‘stick’ somehow so we don’t lose their cart?

In an app I’m coding currently, I pass the session ID in the URL, as
query parameters. CGI knows how to extract it from the request
instead of the cookies. I don’t know though if a cookie is then sent
along on the subsequent response. Haven’t checked.

Bye !

Philip_E · December 14, 2005, 1:46am

Philip,

This is what I do in environment_mods.rb (required at the end of
environment.rb) for one project that has 10+ rails sites sharing
sessions.

session_options = Hash.new
session_options[:database_manager] = CGI::Session::PStore
session_options[:prefix] = ‘xyz_’
session_options[:tmpdir] = ‘/home/xyz/pstore’

Cookie

session_options[:session_domain] = ‘.xyz.com’
session_options[:session_key] = ‘xyzapp’

Assign

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(session_options)

Hope it helps,

Adrian M.
HyperX Inc.
Mobile: 801.815.1870
Office: 801.566.0670
[email protected]

9000 S. 45 W.
Sandy, UT 84070

Philip_E · December 15, 2005, 11:15pm

Francois B. wrote:

In an app I’m coding currently, I pass the session ID in the URL, as
query parameters. CGI knows how to extract it from the request
instead of the cookies. I don’t know though if a cookie is then sent
along on the subsequent response. Haven’t checked.

Thanks, this is similar to what we ended up doing. We have a simple
little Perl (gasp!) CGI which gets the cookies submitted to it and then
it resets them in the new domain. It’s just too messy to try to do it
within the Rails framework. It tries to create a new session before we
get a chance, a before-filter does a redirect to a login because the
session is apparently empty, etc.

Despite RFC’s and cookie domain settings, it seems that some browsers
(cough firefox) still get very picky about when and who to send
cookies to. It also is likely that security settings would effect how
cookies (and therefore sessions) get passed between domains and
protocols (i.e. http vs https).

Anyways, here’s a version of our CGI for those who might find it
helpful. We call it in the target domain and protocol where it sets the
session and our other cookie, then redirects to $URL:

#!/usr/bin/perl

my $URL=“https://secure.xxx.com/checkout/summary”;

use CGI;

my $cgi = new CGI();
my $sessionid=$cgi->param(‘session_id’);
my $xxx_zip=$cgi->param(‘xxx_zip’);

print “Set-Cookie: xxx_zip=”.$xxx_zip.“; path=/\n”;
print “Set-Cookie: _session_id=”.$sessionid.“; path=/\n”;
print “Cache-Control: no-cache\n”;
print “Location: $URL\n”;
print “Conntection: close\n”;
print “Content-Type: text/html; charset=UTF-8\n\n”;

print “<meta http-equiv="refresh"
content="0;URL=”.$URL.“">\n”;