Config.action_controller.session[:secret] vs protect_from_forgery :secret

Rails
#1

What I want to do is share the same session across many Rails
applications.
All of them are using Rails 2.2.2. I know that, to share the session,
it’s
(supposedly) just a matter of sharing the same key and secret among the
apps, like this:

config.action_controller.session = {
:session_key => ‘_apps_session’,
:secret =>
‘71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d5fc0996’
}

This being put in config/environment.rb of all the apps you want the
session
to be share with.

Now, some of the apps are returning in the HTTP response a session id
(_apps_session=big number) that is different, even though they have the
same
session_key and secret.

One thing that I noted, though, is that these apps are also providing a
:secret to protect_from_forgery, and the number is different from the
number
passed to the :secret on config.action_controller.session[:secret].

What I would like to know is, if I’m setting the secret in
config.action_controller.session, do I need to pass it to
protect_from_forgery? Or are they secrets of different nature?

Thanks,

Marcelo.

#2

On Oct 13, 5:20 pm, Marcelo de Moraes S. [email protected]
wrote:

This being put in config/environment.rb of all the apps you want the session
to be share with.

Now, some of the apps are returning in the HTTP response a session id
(_apps_session=big number) that is different, even though they have the same
session_key and secret.

There is more you need to do: the browser won’t sent the cookie from
app1.example.com when the user’s browser makes a request to
app2.example.com. There is an option called something
like :session_domain that allows you to set the domain used by your
session cookie (i think it changed to :domain for 2.3)

One thing that I noted, though, is that these apps are also providing a
:secret to protect_from_forgery, and the number is different from the number
passed to the :secret on config.action_controller.session[:secret].

What I would like to know is, if I’m setting the secret in
config.action_controller.session, do I need to pass it to
protect_from_forgery? Or are they secrets of different nature?

The two are mostly unrelated if my memory is correct.

Fred

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs