Re-using session data over different domain names


#1

Hi,

I am having a hard time here.

I will be managing different websites, let’s say: www.site1.com and
www.site2.com

When a user wants to login on to one of these sites, he will be
redirected to: https://site1.com.mainsite.com

Once he gives successfully his credentials, I want him to get redirected
to www.site1.com

I would like to use cookie session store.

The problem is that when he gets redirected, he still is an anonymous
user. This is because when he logs in at site1.com.mainsite.com, the
session gets set for site1.com.mainsite.com and not for www.site1.com

Do you know of a solution around that or is it impossible to solve?

I wanted to set session[:domain] but I get a request forgery error.


#2

Crap, by laying back, I just figure out, that what I am trying to do is
a kind of XSS attack.


#3

Fernando P. wrote:

The problem is that when he gets redirected, he still is an anonymous
user. This is because when he logs in at site1.com.mainsite.com, the
session gets set for site1.com.mainsite.com and not for www.site1.com

Do you know of a solution around that or is it impossible to solve?

I wanted to set session[:domain] but I get a request forgery error.

You could use an iframe so that the login is made in mainsite.com’s
cookie domain.

Or your redirect could include username and password parameters,
suitably hashed and/or encrypted.


Rails Wheels - Find Plugins, List & Sell Plugins -
http://railswheels.com


#4

Or your redirect could include username and password parameters,
suitably hashed and/or encrypted.

I like this idea very much. Thank you for the tip.