What I want to do is share the same session across many Rails
applications.
All of them are using Rails 2.2.2. I know that, to share the session,
it’s
(supposedly) just a matter of sharing the same key and secret among the
apps, like this:
This being put in config/environment.rb of all the apps you want the
session
to be share with.
Now, some of the apps are returning in the HTTP response a session id
(_apps_session=big number) that is different, even though they have the
same
session_key and secret.
One thing that I noted, though, is that these apps are also providing a
:secret to protect_from_forgery, and the number is different from the
number
passed to the :secret on config.action_controller.session[:secret].
What I would like to know is, if I’m setting the secret in
config.action_controller.session, do I need to pass it to
protect_from_forgery? Or are they secrets of different nature?
This being put in config/environment.rb of all the apps you want the session
to be share with.
Now, some of the apps are returning in the HTTP response a session id
(_apps_session=big number) that is different, even though they have the same
session_key and secret.
There is more you need to do: the browser won’t sent the cookie from app1.example.com when the user’s browser makes a request to app2.example.com. There is an option called something
like :session_domain that allows you to set the domain used by your
session cookie (i think it changed to :domain for 2.3)
One thing that I noted, though, is that these apps are also providing a
:secret to protect_from_forgery, and the number is different from the number
passed to the :secret on config.action_controller.session[:secret].
What I would like to know is, if I’m setting the secret in
config.action_controller.session, do I need to pass it to
protect_from_forgery? Or are they secrets of different nature?
The two are mostly unrelated if my memory is correct.
Fred
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.