We’re working on a on-line store app where the user picks items to
buy in a non-secure area, and then submits their order details in a
secure area (https://) that has a different domain name, but is the
same physical server.
Is there an easy way to preserve sessions across that jump to the
other domain?
Phil
Philip E. wrote:
We’re working on a on-line store app where the user picks items to
buy in a non-secure area, and then submits their order details in a
secure area (https://) that has a different domain name, but is the
same physical server.Is there an easy way to preserve sessions across that jump to the
other domain?
Depending on what you mean by other domain. It’s possible to share
cookies (and thus cookie-based sessions) between for example
secure.company.tld and www.company.tld. But it’s not possible to
share it between first.tld and second.tld. This restrictions are due
to security reasons (so that cookies can’t be read by other Web
sites) and are defined in the RFC 2109.
http://www.w3.org/Protocols/rfc2109/rfc2109
I strongly recommend using the same domain for the whole site - it
gets very complicated otherwise. What is your motivation for not
using the same domain?
Regards,
Patrice
On 12/2/05, Philip E. removed_email_address@domain.invalid wrote:
We’re working on a on-line store app where the user picks items to
buy in a non-secure area, and then submits their order details in a
secure area (https://) that has a different domain name, but is the
same physical server.Is there an easy way to preserve sessions across that jump to the
other domain?
Since the session is tied to a cookie, probably not. This is just a
guess since I haven’t looked closely at how rails sessions work in
detail, but you could probably grab the session id from the cookie and
pass it to the other site, which could then use that id to get the
session object and copy whatever variables you need.
You are probably far better off not doing that though and just have
the whole order process on the same domain.
Chris
Patrice Neff wrote:
This restrictions are due to security reasons (so that cookies
can’t be read by other Web sites) and are defined in the RFC 2109.
http://www.w3.org/Protocols/rfc2109/rfc2109
Correction: the current RFC for that is 2965 which obsoletes 2109.
http://www.ietf.org/rfc/rfc2965.txt
Patrice
On Dec 2, 2005, at 10:35 PM, Patrice Neff wrote:
Depending on what you mean by other domain. It’s possible to share
cookies (and thus cookie-based sessions) between for example
secure.company.tld and www.company.tld. But it’s not possible to
share it between first.tld and second.tld. This restrictions are
due to security reasons (so that cookies can’t be read by other Web
sites) and are defined in the RFC 2109.
http://www.w3.org/Protocols/rfc2109/rfc2109I strongly recommend using the same domain for the whole site - it
gets very complicated otherwise. What is your motivation for not
using the same domain?
Oh, we’re doing “www.myhappydomain.com” and
“secure.myhappydomain.com” (making up the domain don’t bother looking
it up ;’), so it’s the same domain technically. (and same IP) We
use different names for legacy and technical reasons (don’t ask).
Still though, I’ve used other environments in the pass which just
pass the session ID across as a submit (GET or POST) and it
automagicly preserves the session. I couldn’t find an easy way to do
that Rails?
Thanks!
Phil
Philip E. wrote:
Oh, we’re doing “www.myhappydomain.com” and
“secure.myhappydomain.com” (making up the domain don’t bother
looking it up ;’), so it’s the same domain technically. (and same
IP) We use different names for legacy and technical reasons (don’t
ask).Still though, I’ve used other environments in the pass which just
pass the session ID across as a submit (GET or POST) and it
automagicly preserves the session. I couldn’t find an easy way to
do that Rails?
You can change the cookie options by setting paramters of
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS. According to
http://wiki.rubyonrails.com/rails/pages/HowtoChangeSessionOptions the
key for setting the domain is “session_domain”. So try the following
code in your production environment (environments/production.rb):
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update
(:session_domain => “.myhappydomain.com”)
Please tell me if this works.
Regards,
Patrice Neff
Phil,
What you need is to set the rails session cookie to .myhappydomain.com
instead of the default myhappydomain.com. You should do this anyway as
you
would want to preserve the sessions regardless if the users types your
domain with www or without.
Put the following code to conf/enviroments/production.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(
:session_domain => ‘.myhappydomain.com’)
HTH,
Zsombor
–
Company - http://primalgrasp.com
Glu4You - http://suprglu.com
Thoughts - http://deezsombor.blogspot.com
On Dec 2, 2005, at 11:47 PM, Patrice Neff wrote:
automagicly preserves the session. I couldn’t find an easy way to
Please tell me if this works.
Thanks. Seems simple enough.
Unfortunately, I won’t be able to try it until we go live since this
is an upgrade to the old site. I’m concerned that this may depend
too much on browser/security settings and other client-side details.
Since this would break the shopping process (the most important part)
if it didn’t work, it would still be very bad if it didn’t work for a
minority of folks. It also makes testing on a dev server a little
trickier, too.
In other development environments, I’ve ‘bridged the gap’ by
submitting the session id to the other domain, which forces the
session, if needed. No Rails magic here to do the same?
Phil
On 12/3/05, Philip E. removed_email_address@domain.invalid wrote:
production.rb):
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update
(:session_domain => “.myhappydomain.com”)Please tell me if this works.
Thanks. Seems simple enough.
Unfortunately, I won’t be able to try it until we go live since this
is an upgrade to the old site. I’m concerned that this may depend
too much on browser/security settings and other client-side details.
It doesn’t. But your problem is that even though your sites are all
on the same domain, one is served via ssl and the other is not.
Cookies won’t persist from a non ssl url to an ssl url.
Chris