Forum: Ruby on Rails SSL Certificate and cookies

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
unknown (Guest)
on 2007-02-22 07:36
(Received via mailing list)
Hi there

I have an SSL Certificate issued for mydomain.com (not www.mydomain.com)

I'm stuck with the scenario where a user visits www.mydomain.com and
logs in so that a cookie is set by www.mydomain.com

Then they go to checkout and are redirected to https://mydomain.com -
now they are not seen as logged in as the cookie was issued by
www.mydomain.com
not mydomain.com and so are then getting redirected to the login page.

I'm using acts_as_authenticated and all is fine except for this issue.
Any clues would be appreciated.

Richard
Chris G. (Guest)
on 2007-02-22 09:03
(Received via mailing list)
If it were me, I'd force my web server or proxy to redirect all
www.domain.com
requests to domain.com.  It's fairly easy.

For instance, this is how you do it using nginx:

# redirect www to non-www (for cookies)
if ($host != 'domain.com' ) {
    rewrite  ^/(.*)$  http://domain.com/$1  permanent;
}

Of course, you'd want to add logic so that you're not redirecting your
SSL traffic to a non-SSL host ... but you get the drift.

Hope that helps...

-Chris
Dee Z. (Guest)
on 2007-02-22 11:02
(Received via mailing list)
removed_email_address@domain.invalid wrote:
> I have an SSL Certificate issued for mydomain.com (not www.mydomain.com)
>
> I'm stuck with the scenario where a user visits www.mydomain.com and
> logs in so that a cookie is set by www.mydomain.com
>
> Then they go to checkout and are redirected to https://mydomain.com -
> now they are not seen as logged in as the cookie was issued by www.mydomain.com
> not mydomain.com and so are then getting redirected to the login page.

You can set the domain for your session cookie to be ".mydomain.com",
thus
regardless of the subdomain session state will be kept. A simple way
would
be to add this line to your production.rb:

> ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_domain => 
".mydomain.com")


Zsombor
--
Company  - http://primalgrasp.com
Thoughts - http://deezsombor.blogspot.com
This topic is locked and can not be replied to.