I need to read cookies set by some different application into my rails application. both the application is running under common SSO (authentication) and when the user successfully authenticated he first redirected to the first application (Node/Express app) which write some data into browser cookies and then when the user clicks on some button which loads my rails application. it will create a rails session. I need to set some variables reading from the cookie set by node/express application.
Assuming your SSO cookie is named "sso_cookie", to read the cookie: cookies[:sso_cookie]. To update the cookie: cookies[:sso_cookie] = 'new-value'.
See ActionDispatch::Cookies.
Related
Trying to figure out why a cookie that was created by postman does not work in rails request.
Here is the structure:
Rest API - web.abc.com/api
website - web.abc.com (Ruby on rails. no JS framework)
Webapp - web.abc.com/admin (ReactJS app)
So now, authentication happens on the (Rails app - website), API then returns a cookie. The cookie is then set in the browser and user is logged in. We then use rails (rest-client) gem and send the cookie back to the API on requests and all works well.
Problem is, the same cookie (session) does not work on the react app. the cookie is sent to the API but does not work. However, if we authenticate using postman, then copy the cookie value and paste it into the browser (cookie value), the react app works BUT not on the website.
So in a nutshell. If the cookie is set from Rails app, it works on the website but not on the react app. If we authorize with postman and past the cookie value in the browser (replacing the cookie value), it does not work on the website, but works on the react app.
what am i missing?
I'm developing a Chrome Extension that works in conjunction with a rails backend. When users are logged into the backend site, I want to customize the extension UI according to their account. Normal stuff.
Because this is a browser extension, the "document" / URL that requests to the backend will always be changing, so SameSite=None needs to be set.
How can I customize the Devise cookie settings? Everything I found so far online shows me how to set cookie information globally via a rails config:
YourApp::Application.config.session_store :cookie_store, { key: '_xxxx_session', secure: secure_option }
But I think technically I don't need this for every cookie, just the session cookie. I guess I could be wrong though...
Thoughts?
I have a rails application and I am using devise for authentication.
When I get logged in successfully on URL http://localhost:5000/,
I try to access http://127.0.0.1:5000/ in the same browser.
I expect to be logged in as soon as I access it on http://127.0.0.1:5000/ but application remains logged out. Whats going on I really cannot understand as I am trying to access both URLs in the same browser?
UPDATE:
my config/initializers/session_store.rb
Rails.application.config.session_store :cache_store, key: '_app'
The fact that you are logged in is store in the session which is stored in a cookie. For security reasons, the browser sends cookies only to the URLs from which the cookie was set.
From the browser's point of view, localhost and 127.0.0.1 are totally different URLs. Therefore the login information stored in the cookie on localhost is not sent to the server running at 127.0.0.1 and therefore the server running at 127.0.0.1 has no information about an existing session on localhost.
UPDATE:
Using the cache_store to store the session doesn't change anything because the information what session in the cache store belongs to the user is still stored in the cookie.
Imaging that your server needs to store all generated sessions somewhere. And if a user comes backs the server needs to know which session belongs to the user. A simplified solution to this problem might be to assign a random number to each session and give the user this number (stored in the cookie). When the user returns the cookie is returned too and that allows the server to load the session by that number.
And a cookie is bound to a domain. This is a security feature of the browser. If it didn't work that way all sessions would be sent to all domains: Google would know if you were logged in to Facebook, every website would know that you have a cookie from your bank...
In my scenario I have logged into an application and am calling a c# function to create a session in my Identity application. Then I am accessing an service provider application which will redirect to identity application. but here the session I have created is not been recognized and Identity asks Login.
Is my logic correct. or need any remedy?
thanks,
Anish.
It should work but there are a few reasons why your session might be lost:
The session cookie is expiring - how long before user is redirected back? Check your session timeout
You are using cookieless sessions - the session identifier in the URL is lost after redirect
You are using the default in-memory session provider and you have more than one webserver - you are redirected to a different host that doesn't recognize your session
If it is none of these, use browser developer tools to check the session cookie and see why it isn't being sent.
I have a server side app written in Rails using the authlogic plugin. I am not sure how to login to the rails app from my iphone client. I think I know how to write get/post code in Obj C, but I'm not sure what the best approach is of authenticating with my rails server. Here is what the server side HTML looks like when you go to this URL:http://localhost:3000/user_sessions/new : http://pastie.org/596279
To authenticate from your iPhone app you will need to:
Disable cross site request forgery for the form actions
HTTP POST user_session[username] and user_session[password] to your FQDN + '/user_sessions'
Capture the session cookies returned from the site (and return these with subsequent requests) to take further actions in the application.
Depending on what your overall goal is, it might be better to write a custom authentication piece that would use the iPhone's internal ID and a combination of the username and password to create unique token to use for the session on the site.