Forum: Ruby on Rails Re-using session data over different domain names

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
059ed46172a087063ce26250e44c8627?d=identicon&s=25 Fernando Perez (fernando)
on 2008-10-21 23:44
Hi,

I am having a hard time here.

I will be managing different websites, let's say: www.site1.com and
www.site2.com

When a user wants to login on to one of these sites, he will be
redirected to: https://site1.com.mainsite.com

Once he gives successfully his credentials, I want him to get redirected
to www.site1.com

I would like to use cookie session store.

The problem is that when he gets redirected, he still is an anonymous
user. This is because when he logs in at site1.com.mainsite.com, the
session gets set for site1.com.mainsite.com and not for www.site1.com

Do you know of a solution around that or is it impossible to solve?

I wanted to set session[:domain] but I get a request forgery error.
059ed46172a087063ce26250e44c8627?d=identicon&s=25 Fernando Perez (fernando)
on 2008-10-22 00:18
Crap, by laying back, I just figure out, that what I am trying to do is
a kind of XSS attack.
C64e63b70be7dfed8b0742540b8b27e5?d=identicon&s=25 Mark Reginald James (Guest)
on 2008-10-22 00:18
(Received via mailing list)
Fernando Perez wrote:

>
> The problem is that when he gets redirected, he still is an anonymous
> user. This is because when he logs in at site1.com.mainsite.com, the
> session gets set for site1.com.mainsite.com and not for www.site1.com
>
> Do you know of a solution around that or is it impossible to solve?
>
> I wanted to set session[:domain] but I get a request forgery error.

You could use an iframe so that the login is made in mainsite.com's
cookie domain.

Or your redirect could include username and password parameters,
suitably hashed and/or encrypted.

--
Rails Wheels - Find Plugins, List & Sell Plugins -
http://railswheels.com
059ed46172a087063ce26250e44c8627?d=identicon&s=25 Fernando Perez (fernando)
on 2008-10-22 00:27
> Or your redirect could include username and password parameters,
> suitably hashed and/or encrypted.
>
I like this idea very much. Thank you for the tip.
This topic is locked and can not be replied to.