Share Session Between Two Rails4 Applications

Share session between two rails4 applications

The basic issue here is the way in which cookies work (which of course sessions depend on). A cookie has a domain attribute and browsers only send cookies whose domain match the request host (there's a little bit of subtlety of the meaning of a period at the start of the domain)

Furthermore, when setting a cookie, browsers will only accept a domain that is a parent domain of the current domain and which is not a public domain). For example if you are receiving a response from www.example.com it can set cookies for www.example.com or example.com, but not .com (Browsers have a list of which domain names shouldn't be allowed).

All this to say that if your two apps don't share a common parent (as it is in your case) then you can't share cookies and thus you can't share a rails session.

There are many ways to deal with this, a simple one is known as CAS (Central Authentication Service) protocol. The basic flow with this is

  1. User goes to hello.com and tries to access some protected resource (e.g. /home
  2. User is redirected to sso.example.com/service?=http://hello.com/home
  3. The user's identity is verified here as usual: the user either logs in, is recognised from a cookie etc.
  4. The sso service generates a ticket (an arbitary token) and redirects the user to `http://hello.com/home?ticket=ABC123
  5. The application at hello.com makes a (server side) request back to the SSO server, passing the ticket
  6. The SSO server responds indicating whether the ticket is valid. If the ticket is valid it will also include some information about the user (e.g. email)
  7. hello.com sets a session cookie so that subsequent requests can skip steps 2-6

There are ruby implementations of cas (e.g. rubycas which has both a cas client and server) and devise strategies that use CAS. There are of course other ways you can do this, for example using oath, but CAS is somewhat simpler.

Share session between two rails 4 application with different subdomain

The solution suggested in http://dev.mikamai.com/post/75476602797/sharing-session-between-your-rails-4x-app-and worked.

In both applications do following

  1. Set same secret_key_base in both applications

  2. Configure same key and domain in session_store.rb
    Rails.application.config.session_store ActionDispatch::Session::CacheStore, :expire_after => 30.minutes, key: '_common_key', domain: ".example.com"

  3. Enable caching with dalli in production.rb Dalli::ElastiCache.new('tripartite.q1ssrz.cfg.usw2.cache.amazonaws.com:11211)
    config.cache_store = :dalli_store, elasticache.servers

Share Devise session cookie between two Rails apps of different versions

There might be other things going on in your specific case, but it is worth nothing that there have been two backward-incompatible changes to session cookies since Rails 4 that you'll need to look at.

  1. There was a change in Rails 5.2 to embed expiry information into encrypted cookies. From the upgrade guide:

To improve security, Rails now embeds the expiry information also in
encrypted or signed cookies value.

This new embed information make those cookies incompatible with
versions of Rails older than 5.2.

If you require your cookies to be read by 5.1 and older, or you are
still validating your 5.2 deploy and want to allow you to rollback set
Rails.application.config.action_dispatch.use_authenticated_cookie_encryption
to false.


  1. Rails 6.0 has a change to embed purpose in encrypted cookies. From
    the upgrade
    guide:

To improve security, Rails embeds the purpose information in encrypted
or signed cookies value. Rails can then thwart attacks that attempt to
copy the signed/encrypted value of a cookie and use it as the value of
another cookie.

This new embed information make those cookies incompatible with
versions of Rails older than 6.0.

If you require your cookies to be read by Rails 5.2 and older, or you
are still validating your 6.0 deploy and want to be able to rollback
set Rails.application.config.action_dispatch.use_cookies_with_metadata
to false.

Share a session between two web applications in device

This can be done, but both of these applications will need to have a common subdomain and the secret_token value in your configuration will have to be identical.

For instance, you can have app1.example.com and app2.example.com so long as the cookie is assigned to .example.com.

The options for this are stored in config/initializers/session_store.rb and config/initializers/secret_token.rb.

As a note, ensure that your secret token value is as long and random as in a default install. Don't just switch to something short and convenient.


Related Topics

How to Build a Docker Image for a Ruby Project Without Build Tools

Rubymine 6.0.2, Unable to Debug

Searching from a Range of Ids in Activerecord

Kernel_Require.Rb:55:In 'Require': Cannot Load Such File Error

Can Anyone Explain This Array Declaration to Me

Percent Encoding in Ruby

Failing to Enable User-Env-Compile on Heroku

Why Does Ruby '**' Operator Have Higher Precedence Than Unary '-'

Symbol#To_Proc Shorthand with the Stabby Lambda Syntax

Rspec Matcher That Checks Collection to Include Item That Satisfies Lambda

Mechanize and Ntlm Authentication

How to Print All the Staged File Names Using Ruby Git Pre-Commit Hook

How to Specify Formatting Options for To_Yaml in Ruby

Rspec Class Variable Testing

Why Doesn't Array Override the Triple Equal Sign Method in Ruby

Validating Phone Number in Ruby

Using the Right Exception Subclass in Ruby

Rspec -- Test If Method Called Its Block Parameter


Leave a reply



Submit