SSL Certificate and cookies


#1

Hi there

I have an SSL Certificate issued for mydomain.com (not www.mydomain.com)

I’m stuck with the scenario where a user visits www.mydomain.com and
logs in so that a cookie is set by www.mydomain.com

Then they go to checkout and are redirected to https://mydomain.com -
now they are not seen as logged in as the cookie was issued by
www.mydomain.com
not mydomain.com and so are then getting redirected to the login page.

I’m using acts_as_authenticated and all is fine except for this issue.
Any clues would be appreciated.

Richard


#2

If it were me, I’d force my web server or proxy to redirect all
www.domain.com
requests to domain.com. It’s fairly easy.

For instance, this is how you do it using nginx:

redirect www to non-www (for cookies)

if ($host != ‘domain.com’ ) {
rewrite ^/(.*)$ http://domain.com/$1 permanent;
}

Of course, you’d want to add logic so that you’re not redirecting your
SSL traffic to a non-SSL host … but you get the drift.

Hope that helps…

-Chris


#3

removed_email_address@domain.invalid wrote:

I have an SSL Certificate issued for mydomain.com (not www.mydomain.com)

I’m stuck with the scenario where a user visits www.mydomain.com and
logs in so that a cookie is set by www.mydomain.com

Then they go to checkout and are redirected to https://mydomain.com -
now they are not seen as logged in as the cookie was issued by www.mydomain.com
not mydomain.com and so are then getting redirected to the login page.

You can set the domain for your session cookie to be “.mydomain.com”,
thus
regardless of the subdomain session state will be kept. A simple way
would
be to add this line to your production.rb:

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(:session_domain => “.mydomain.com”)

Zsombor

Company - http://primalgrasp.com
Thoughts - http://deezsombor.blogspot.com