I'm using devise in my rails application. I have it configured in a tenanted manor in which accounts/sessions are scoped to a subdomain. For example:
http://subdomain1.example.com/
http://subdomain2.example.com/
...
This works well but I want to have an additional subdomain for "super-admins" that allows those users navigate to all the other subdomains without the need to reauthenticate. This would be something like:
http://admin.example.com/
Is it possible to customize the cookie that gets generated on only the admin subdomain so that it is valid on all other subdomains?
Cookie domains are more inclusive the less specifically they are defined, so if you have a controller that only serves the admin subdomain, you should be able to set a cookie for the .example.com (or example.com) domain and expect it to be available to all other subdomains.
These docs describe the process for selectively setting the cookie domain.
Related
In an environment where a very big online application/web is divided into subdomains:
app1.mydomain.com
app2.mydomain.com
Each app is able to handle its subdomain session cookie.
However, in order to mantain certain data live through all apps, like session provider and account information in a multi-single-sign-on environment, it would be useful to also store/access session cookies at a domain level:
mydomain.com
What would be the best approach to handle simultaneously domain level and subdomain session cookies in Ruby on Rails? One issue would also be that this domain level cookie should be encrypted with the same hash across all applications/subdomains, which can be done, but doesn't fully integrate with Rails session design, unless all application share their secret token.
Best I could think of is use Rails default session handler for subdomain cookies, and create manually a domain level cookie handler, however it would be cool to be able to use session and domain_session as it is designed to be used more easily, though this is not a common issue.
I'm have omniauth working in my Rails app on the top level domain.
Now I want to do it on any given subdomain (users each get their own subdomain assigned dynamically).
I can't find a way to dynamically change the callback url on the fly with omniauth
Leaving it as is, in the callback I can see the referrer and know which subdomain they came from, and log them in, but when I then redirect them to their subdomain they are logged out because the session was on the top level domain.
I'm using the omniauth-facebook gem if that matters: https://github.com/mkdynamic/omniauth-facebook
What's the best way to handle this?
I don't think that Omniauth let's you change this dynamically, but you can share the session between all subdomains, and continue to use the redirection approach. Just change your session_store to include domain (and tld_length if you need it - more details here)
Rails.application.config.session_store ... , domain: :all
Say I'm running a multi-tenant application that gives each organization its own portal via a subdomain.
Example -
orgA.application.com
orgB.application.com
etc...
Each subdomain reads from a different schema/tenant in my PSQL db, but is otherwise the same application.
In my ApplicationController I set the current_user as -
def current_user
if session[:user_id]
#current_user ||= User.find_by_id(session[:user_id])
end
end
There are few admin/superusers such as myself that have a user account on each subdomain. If I log into orgA with my user (id = 22), then my session gets set as user_id: 22.
Now say I want to switch over to orgB, where my user id is 44. If I log into orgB after having set my session in orgA, is there any chance I could accidentally log myself in as the user who is 22 on orgB?
More fundamentally, I'm trying to understand how a browser cookie session is set. From my understanding, it's a hash of variables that are encrypted and cached in the client's browser. Is that set per subdomain? Or do all subdomains of a particular site share the same cache/session cookie?
More importantly, how do I prevent cross pollination of sessions like in the example above? Is my current_user method too basic?
Thanks!
You're fundamentally asking about cookies here, to which the answer is relatively simple: cookies are not shared across subdomains unless you explicitly request it.
When you send the Set-Cookie HTTP header to create a cookie in the user's browser, you can choose whether or not to include a domain configuration option. That option controls which domain the cookie saves under and will be served to.
By default, if you send Set-Cookie with no domain option, the cookie will be set for the current hostname, which includes subdomains. That is, a cookie set on siteA.example.com will not be accessible to siteB.example.com.
If you send a domain option of example.com when you create your cookie on siteA.example.com, then the cookie will be accessible on both example.com and *.example.com, so all your sites will be able to access it.
For your situation, then, you should send the Set-Cookie header with no domain option. That's the default in most setups, including Rails so it's unlikely you need to do anything.
My vbulletin forum sets some cookies on domain-name.com, and I'd like to read these cookies within my rails app which is on beta.domain-name.com. How can I do this?
If you set cookie's domain to: .domain-name.com (dot at the beginning), you can access it's cookies from subdomains, if domain is domain-name.com (withouth dot at the beginning) you can access it's cookies only from this domain.
How can I have user automatically logs in to my website if he goes to mydomain.com or www.mydomain.com?
The problem is that cookies set on the main domain are not automatically accessible on the subdomain. Authentication in your application is handled through sessions, which are persisted between requests by a cookie. That the cookie should be accessible to your subdomains has to be set explicitly when the cookie is related. This question dealt with how:
Problem with sessions, subdomains and authlogic in Rails