Share session between a Rails 4 and a Rails 5 app - ruby-on-rails

We have a setup in a way that currently some pages are being served by a Rails 4 app and a Rails 5 app. All the authentication logic resides in the Rails 4 app and we are using Devise for authentication. The session_store.rb on the Rails 4 app looks like this Rails.application.config.session_store :cookie_store, key: '_app_store'. I want to have the current_user accessible in the Rails 5 app as well. Note: Both the apps are under the same domain. Also how should I go about setting devise on my Rails 5 app so that current_user is accessible.

First allow cookie to apply for all of your subdomains:
Rails.application.config.session_store :cookie_store, key: '_app_store', domain: :all
When the browser accesses a website, the website tells the browser to set a cookie. When this happens, it specifies the cookie name, value, domain, and path.
:domain => :all makes a dot in front of the cookie domain (which is whatever host your browser has browsed to), so the cookie applies to all subdomains.
Another good thread about this topic can be found here:
https://stackoverflow.com/a/4065929/1625253

Related

Rails 5 backend on subdomain does not save cookies

We are building a new application with Ruby on Rails. Our frontend is in a separate project and we do not make use of Rails' views. Our backend is located on api.app.example.com, whereas the frontend part is located on app.example.com. They are on different infrastructures (one is in AWS ECS, other is in S3). We are having trouble getting the session cookies to save in the browser.
I have done some research and found the domain: :all and tld_length: 4 parameters, however these have been mostly been about same length subdomain, just different names. I have been trying some of the different combinations, but none of them has helped so far:
domain: :all, tld_length: 3
domain: :all, tld_length: 4
domain: '.app.example.com', tld_length: 4
domain: '.example.com'
domain: :all
The Set-Cookie header is received successfully by the browser, however it is not saved, therefor rendering any requests after login Unauthorized.
Is there something that I am forgetting? Can this be solved or should I just move the whole thing to single IP and use /api instead of api.?
Usually, if you are using Rails as an API project session storage is disabled by default. You should do something like this in one of your initializers:
Rails.application.config.session_store :cookie_store, :key => '_namespace'
I don't think subdomain should matter in this case, but I may be wrong.

How to store the flash in a different cookie to the Rails session?

We have the Rails session cookie set to be only visible on the subdomain it is issued (i.e. setting domain: nil in the session store configuration). This means there are separate user sessions per subdomain, which is what we want.
However, we would still like the flash messages to be visible across subdomains. So if they log out on foo.oursite.com and are redirected to www.oursite.com, they should see the "logged out successfully" message from the flash, despite it being different subdomains.
So my question is: can we configure the Rails flash system to use a separate cookie to the session store, so we can set domain: :all for that cookie and have the flash be visible across subdomains?
(We are on Rails 5.0)
You could do something like e
Yourapp::Application.config.session_store :cookie_store, key: '_yourapp_session', :domain => :all
But this would mean all your cookies are accessible across sub-domains and would share the logged in session cookie.
You would maybe want to look into storing alerts in the database and retrieve them as needed.

sharing sessions between Rails 3.1 applications

I have 2 Rails applications (separated but sharing same top level domain). In development, I run the first application under localhost:3000 and the other one under localhost:3500
These two applications have the same users (not really but let's keep it simple).
So, when a user logs into application 1, I want him to be able to go to application 2 without having to sign-in again.
To do this, I changed the initializer, session_store.rb to:
Iview::Application.config.session_store :cookie_store, :key => '_iview_session', :domain => :all
I hoped this would be enough as, in my understanding, when accessing app. 2, the app. would be looking for the cookie of app 1 and assume the user is logged-in but it doesn't do the trick (at least in development).
What do I miss? Thanks!
Have you tried to set the secret_token.rb initializer to the same key?

Rails, Subdomain based cookies

I have a rails application which is Subdomain based. It also contains REST API which can be publicly accessed to our clients. I have an another client application through which I am accessing the REST API of the main app.
When I am accessing both the apps on the same browser and logged in the main app, I am not able to access the REST API of different Subdomain in client app as cookie get stored according to the domain accessed.
Is there any way to differentiate the cookies based on Subdomain.
Thanks in advance.
You should set cookie's domain as .yourdomain.com so that your cookies are set for main domain and for all subdomains.
Rails 3 on config/initializers/session_store.rb:
Rails.application.config.session_store :cookie_store, :key => '_my_key', :domain => ".yourdomain.com"
Rails 2.3+ on config/environment.rb:
config.action_controller.session = { :key => '_my_key', :domain => '.yourdomain.com' }

Configuring Rails App to handle multiple subdomains and multiple cookies

I have a rails app which supports multiple domains and each domain may have multiple subdomains.
Users visiting mydomain1.com do not receive the same experience as mydomain2.com (although the base behaviour of the apps is the same)
Therefore, if a user is logged in to mydomain1.com, it shouldn't then be logged in to mydomain2.com
If a user is logged in to france.mydomain1.com, it should then be logged in to germany.mydomain1.com
Previously, I've handled this by setting the domain in the session store configs:
MyApp::Application.config.session_store :cookie_store, :key => '_MyApp_session', :domain => APP_CONFIG[:domain]
I'm trying to work out the best way to handle this with multiple domains?
I've tried hacking around ActionDispatch::Callback but the request is not available from within there.
Can anybody suggest a good way of supporting multiple cookies from within one app?
Ideally I'd like to create a fresh cookie for each subdomain.
You should do that:
class ActionDispatch::Session::MultiDomainStore < ActionDispatch::Session::CookieStore
def initialize(app, options = {})
super(app, options.merge!(:domain => compute_domain(app)))
end
def compute_domain(app)
...
end
end
MyApp::Application.config.session_store :multi_domain_store, :key => '_MyApp_session'
I.e. your domain should start with the dot.
It shouldn't be an issue as cookies are only valid per domain. You can have a _MyApp_session for example1.com and one for example2.com. The cookies are managed by the browser and only sent to the host if the domain matches.
Say you visit example1.com and log in and you will get a cookie with the value abcdef123. Then you log into example2.com and you will get another cookie with a random string uvwxyz890.
If you return to example1.com later, the browser will only send the cookies that are valid for this domain to your app. Your app won't have to manage anything and you don't have to hack anything.

Resources