I have a rails app hosted on Heroku which uses a custom domain and no SSL, but on the checkout page I want to use the Heroku URL instead which already has SSL configured.
So for example, a user is on http://www.example.com and is logged in already and then clicks the checkout link which goes to https://example.herokuapp.com/checkout.
The issue is that once the user visits the 2nd URL they get redirected as the app thinks they are no longer logged in. Is there a way to keep the user logged in when switching between these pages?
You cannot do that with the herokuapp.com subdomain.
That domain is listed by browsers in their public suffix list: https://devcenter.heroku.com/articles/cookies-and-herokuapp-com
That means you cannot use a cookie which will set *.herokuapp.com, even less *.com.
The only you can do this is by using your custom domain, or the herokuapp.com subdomain all the time.
If the reason you're not using SSL on your custom domain is the price, you could be interested by CloudFlare's SSL offering and proxy requests to your app through them: https://www.cloudflare.com/ssl
Related
I have configured a Custom Domain to be used for my Cognito Hosted UI, so that when users navigate to my web app and are redirected to login, they see a clean URL with branding instead of the scary looking Cognito Domains.
My Custom Domain resembles: auth.example.com
The issue is that when users are redirected to this hosted ui login URL, it contains many Cognito relevant parameters that are not relevant to the user:
https://auth.example.com/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>
I would like for the URL to only show as follows without any parameters: https://auth.example.com
Is this possible or does the Cognito Hosted UI require that these parameters be provided in the URL? Or is there some way to hide the URL parameters from end users?
I've tried simply navigating to https://auth.example.com, but this just renders a blank white page instead of the expected Cognito Hosted UI with sign-in and sign-up forms.
Generally users will only be redirected to the Hosted UI URL or routed there by clicking a button, in which case I'd still like it to be cleaned up without parameters once they're routed, but it would also be nice to be able to share a clean link specifically for signing up, e.g. https://auth.example.com or https://sign-up.example.com.
Thanks in advance for any help!
I have a Rails 5 app that uses Devise for managing users and hosted on Heroku.
My site is called www.example.com but I allow my users to set up custom domains so it could be www.andyexample.com as well.
I can successfully login to www.example.com. However, when I login to www.example.com and then navigate to www.andyexample.com I'm not logged in anymore even though it's the same application.
Is there a way to keep me logged in even when I change between domains?
My understanding was that Devise uses cookies but since a cookie is stored in the browser, why does it not keep me logged in?
Not a duplicate to the suggested post since it's outdated and has 1 reply that introduces a fairly complex solution to something that should be easier to achieve.
Cheers,
I am trying to reduce the number of redirects at my website login page in order for the page to load faster. My final task is deciding if it's possible to remove the redirect for the login page and still keep the site secure.
Should I make a landing page with a link to a secure login page, thus reducing the number of redirects?
Allow the login page to run under HTTP?
This will obviously be introducing a big security risk to a page where users enter their login credentials, which is generally a pretty bad idea. I would suggest no, but it depends what information the site will provide once logged in. If there's no accounting, no personal data, etc. then maybe it's okay, but i still wouldn't do it.
Edit: Updated due to question change
As stated, a static landing page with a link to the secure login page is a good solution here. It would be advisable to keep the http-to-https redirect on the login page though, as some users may try to type the address manually from memory, be using anold bookmark, or using a cached link from a search engine. Alternatively, the http login page could redirect to a different landing page, alerting the user about the insecure page they have navigated to, and also serving the https login link.
A 'landing page' in http is the optimal way to remove the http to https redirect on a login page. The user can click a link to get to the secure https login page, therefore the login page is only available under https.
If a user wishes to have a url directly to the login page to make access faster, they can bookmark this after clicking 'login'.
Using Rails OmniAuth on Facebook, there is a very subtle issue that I need to fix.
My app is on Heroku and its default domain is myapp.herokuapp.com (suppose). I have my personal domain called hello.com, and whenever a user goes to hello.com, he is "forwarded" to myapp.herokuapp.com.
On Facebook dev center, there are App Domains field and Site URL field. I thought I had to put myapp.herokuapp.com into Site URL, and hello.com into App Domains, but it didn't let me.
"hello.com" must be derived from one of: Site URL, Mobile Site URL, Canvas URL, Secure Canvas URL, Page Tab URL or Secure Page Tab URL.
So I just left App domains blank.
Everything seemed to work fine except for one thing. OmniAuth works fine when I go to my website through myapp.herokuapp.com. But when I go through hello.com, there is one little problem. When I'm not logged in Facebook already, it does not redirect me to the Facebook Log in page. So when I click on the login button, it loads for a few seconds but nothing happens (because it's supposed to redirect me to the facebook website to log in there first but it just doesn't) However, when I'm already logged in Facebook, it works fine.
I'm not sure what the problem is. My guesses:
I'm setting App Domains & Site URL wrong.
I did not set DNS yet. Heroku tells me I have to set the DNS to point to my domain, but I'm not sure what that means as I've never dealt with this. Right now, my personal domain, hello.com is simply forwarding to myapp.herokuapp.com. Is this what's causing the problem?
Thank you for your help!
The problem was that I didn't set DNS, but just forwarded my herokuapp url to my custom domain. Instead of "forwarding," you should set your DNS if you are having a similar problem.
My Ruby on Rails app has a subdomain URL for each user's public page. Eg. username.xyz.com
I want to publish this URL on the user's Facebook Page from Rails.
So far, I have created a Facebook App and set it's Page Tab and URL.
I'm using the fbgraph gem to set this app on the facebook page. (This page will be created by the user and will have admin access of this page.)
I used this code:
user = FbGraph::User.me("USER_TOKEN")
account = user.accounts.select {|account| account if account.name == "PageName"}.first
page = FbGraph::Page.new(account.identifier).fetch(:access_token =>"Access_token",:fields => :access_token)
tab = page.tab!(:app_id => "APP_ID_I_CREATED")
Using this code, every user's page points to the URL defined in the APP's Page Tab URL.
I want every user's page to point to their own subdomain URL (eg: user1.xyz.com)
What do I need to do to achieve this?
The subdomain is not handled by the web server, it's handled by DNS. So first you need to get DNS to route everyuser.xyz.com to the IP address where your web server is.
The way DNS works, you will likely have to have a DNS entry for every user. You might be able to find an API to add DNS subdomains when you create a user.
Don't ask me about how to do this, because I don't know, and am uninterested in researching it.
You also have to get the web application to accept the request, and #lightyrs has a good description on how to do that.
You can do the following:
Edit: Make all of these user.mywebsite.com subdomains resolve to the same URL. At that URL:
Create a catch-all route that will handle all traffic originating from *.facebook.com.
Point that route to a controller action that decodes params[:signed_request].
The decoded signed request will yield the facebook id of the page that is responsible for the request.
Fetch the user in your system that is an admin of the page in question.
Fetch the user's subdomain.
Redirect to the subdomain.
Currently, this is the most common way of solving this problem, however, I'd like to see a solution from facebook in the future that allows us to have some kind of dynamic tab URL based on the page, user, and referral context.