Share session between two rails4 applications
The basic issue here is the way in which cookies work (which of course sessions depend on). A cookie has a domain attribute and browsers only send cookies whose domain match the request host (there's a little bit of subtlety of the meaning of a period at the start of the domain)
Furthermore, when setting a cookie, browsers will only accept a domain that is a parent domain of the current domain and which is not a public domain). For example if you are receiving a response from www.example.com
it can set cookies for www.example.com
or example.com
, but not .com
(Browsers have a list of which domain names shouldn't be allowed).
All this to say that if your two apps don't share a common parent (as it is in your case) then you can't share cookies and thus you can't share a rails session.
There are many ways to deal with this, a simple one is known as CAS (Central Authentication Service) protocol. The basic flow with this is
- User goes to hello.com and tries to access some protected resource (e.g. /home
- User is redirected to
sso.example.com/service?=http://hello.com/home
- The user's identity is verified here as usual: the user either logs in, is recognised from a cookie etc.
- The sso service generates a ticket (an arbitary token) and redirects the user to `http://hello.com/home?ticket=ABC123
- The application at hello.com makes a (server side) request back to the SSO server, passing the ticket
- The SSO server responds indicating whether the ticket is valid. If the ticket is valid it will also include some information about the user (e.g. email)
hello.com
sets a session cookie so that subsequent requests can skip steps 2-6
There are ruby implementations of cas (e.g. rubycas which has both a cas client and server) and devise strategies that use CAS. There are of course other ways you can do this, for example using oath, but CAS is somewhat simpler.
Share session between two rails 4 application with different subdomain
The solution suggested in http://dev.mikamai.com/post/75476602797/sharing-session-between-your-rails-4x-app-and worked.
In both applications do following
- Set same
secret_key_base
in both applications Configure same key and domain in
session_store.rb
Rails.application.config.session_store ActionDispatch::Session::CacheStore, :expire_after => 30.minutes, key: '_common_key', domain: ".example.com"
Enable caching with dalli in
production.rb
Dalli::ElastiCache.new('tripartite.q1ssrz.cfg.usw2.cache.amazonaws.com:11211)
config.cache_store = :dalli_store, elasticache.servers
Share Devise session cookie between two Rails apps of different versions
There might be other things going on in your specific case, but it is worth nothing that there have been two backward-incompatible changes to session cookies since Rails 4 that you'll need to look at.
- There was a change in Rails 5.2 to embed expiry information into encrypted cookies. From the upgrade guide:
To improve security, Rails now embeds the expiry information also in
encrypted or signed cookies value.This new embed information make those cookies incompatible with
versions of Rails older than 5.2.If you require your cookies to be read by 5.1 and older, or you are
still validating your 5.2 deploy and want to allow you to rollback setRails.application.config.action_dispatch.use_authenticated_cookie_encryption
tofalse
.
- Rails 6.0 has a change to embed purpose in encrypted cookies. From
the upgrade
guide:
To improve security, Rails embeds the purpose information in encrypted
or signed cookies value. Rails can then thwart attacks that attempt to
copy the signed/encrypted value of a cookie and use it as the value of
another cookie.This new embed information make those cookies incompatible with
versions of Rails older than 6.0.If you require your cookies to be read by Rails 5.2 and older, or you
are still validating your 6.0 deploy and want to be able to rollback
setRails.application.config.action_dispatch.use_cookies_with_metadata
tofalse
.
Share a session between two web applications in device
This can be done, but both of these applications will need to have a common subdomain and the secret_token
value in your configuration will have to be identical.
For instance, you can have app1.example.com
and app2.example.com
so long as the cookie is assigned to .example.com
.
The options for this are stored in config/initializers/session_store.rb
and config/initializers/secret_token.rb
.
As a note, ensure that your secret token value is as long and random as in a default install. Don't just switch to something short and convenient.
Related Topics
How to Build a Docker Image for a Ruby Project Without Build Tools
Rubymine 6.0.2, Unable to Debug
Searching from a Range of Ids in Activerecord
Kernel_Require.Rb:55:In 'Require': Cannot Load Such File Error
Can Anyone Explain This Array Declaration to Me
Failing to Enable User-Env-Compile on Heroku
Why Does Ruby '**' Operator Have Higher Precedence Than Unary '-'
Symbol#To_Proc Shorthand with the Stabby Lambda Syntax
Rspec Matcher That Checks Collection to Include Item That Satisfies Lambda
Mechanize and Ntlm Authentication
How to Print All the Staged File Names Using Ruby Git Pre-Commit Hook
How to Specify Formatting Options for To_Yaml in Ruby
Why Doesn't Array Override the Triple Equal Sign Method in Ruby
Validating Phone Number in Ruby