I am developing a rails application that supports various subdomains. There is a root domain such as example.com and a user logs in through it and then redirects a user to specific subdomain url, group.example.com and users can jump between subdomain urls depending on which group they have access to. How to I set up domain attribute in session cookie so that it would not be available between subdomains (ex2.example.com and ex3.example.com)?
EDIT:
I am sorry I meant session cookies. I want to send different cookies for each subdomain urls.
Have a look at the documentation of the Cookie class. You can specify the domain when you create/delete the cookie.
cookies[:name] = {
value: 'a yummy cookie',
domain: 'ex2.example.com'
}
Of course, the value can be taken from the current request.
cookies[:name] = {
value: 'a yummy cookie',
domain: request.host
}
Here's the options
domain: nil # Does not sets cookie domain. (default)
domain: :all # Allow the cookie for the top most level
# domain and subdomains.
domain: %w(.example.com .example.org) # Allow the cookie
# for concrete domain names.
just add domain: my.subdoma.in to the cookie
btw: the user cookie should be available in all subdomains and you need to controller-check if he is having access to the group. this is the better way to do.
Related
I've been trying to use the rails ActionController cookies tool to expire a cookie that is set by a different application on the same subdomain.
Essentially a legacy app sets a cookie called "ORG_SID" that contains a UUID session_id as it's value, an expire set to "Session", etc.
In my controller I've tried:
cookies.delete('ORG_SID', domain: :all)
cookes['ORG_SID'] = {:expires => Time.at(0), :domain => :all}
I've also tried the exact subdomain of the cookie as well as the TLD of the cookie as inputs to domain.
In each case the cookie is unmodified, by the controllers actions.
There are two servers, production.myapp.com and staging.myapp.com that use cookie session store and that cookie is set for myapp.com domain. Is there a way to handle a session cookie that can't be decrypted/verified? Rails version is 5.1.
Take a look at the Documentaion for Cookies. You can use an encrypted cookie and set the domain on the cookie to be myapp.com, i.e.
cookies.encrypted[:my-key] = {
domain: ".myapp.com",
secure: !Rails.env.development?,
value: "put-your-value-here",
}
Note however, that both apps will need to share the secret_key_base since that is what is used to encrypt / read the cookie value.
If you want to delete it be sure to pass the domain as argument.
cookies.delete(:my-key, domain: ".my-app.com")
I'm using Rails 4.2.2 (with Devise 3.4.1) and am changing the cookie_store domain from www.boundless.dev to .boundless.dev in order to share the same session across all of our subdomains (single sign-on).
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: '.boundless.dev'
If I make this change alone. Existing logged-in users who return to the site will end up with 2 _boundless_session cookies, one with domain boundless.dev and the other with www.boundless.dev. Somehow this makes logging out impossible.
Is it possible to make this change without logging all users out of the site?
I thought that I'd be able to write a method as a before_filter in my ApplicationController to delete the session cookie and replace it with a new one at .boundless.dev, but it doesn't work, and I suspect it has something to do with the remember_user_token cookie.
def update_session_cookie_domain
session_cookie = cookies['_boundless_session']
cookies.delete('_boundless_session', domain: 'www.boundless.dev')
cookies['_boundless_session'] = {
value: session_cookie,
domain: '.boundless.dev'
}
end
I was able to solve this problem by changing the cookie name used for the session.
So the original config was:
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: 'www.boundless.dev'
And I changed it to:
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session_NEW', domain: '.boundless.dev'
I expected this to log users out, but it doesn't for some reason that I don't quite understand.
Unfortunately, I've yet to find a way to clear the old _boundless_session cookie, but at least now I can log out after having my session cookie updated to the more general domain.
I have an issue with wanting to use session across domains (not subdomain). Eg, I have .co.uk, .com.au, and .com all for the same address.
I know for subdomains I can use something like:
SomeApp::Application.config.session_store :cookie_store, key: '_some_app_session', domain => :all, :tld_length => 2
But I would like my solution to work between actually domains to have one set of sessions/cookies.
As your default session store is 'cookie_store'
You could just do it the same way as when you might send an email link with an authentication token. Check to verify that the cookie is correct on example.org and, if it is, redirect them to:
http://example.com?token=
and then check to make sure the token matches the one you have in the DB when they arrive. If the token does match, create the session cookie for the example.com domain and then change the token in the database.
This will successfully transfer from one domain to another while providing persistent login on the new domain (via cookie) and shutting the door behind them by changing the authentication token in the DB.
EDIT
To answer your question below, I don't think you need middleware or anything fancy. You could do a simple before filter in the application controller of example.org, something like:
before_filter :redirect_to_dot_com
...
def redirect_to_dot_com
url = "http://example.com" + request.fullpath
url= destination + (url.include?('?') ? '&' : '?') + "token=#{current_user.token}" if signed_in?
redirect_to url, status: 301
end
That will redirect the user either way, and append the token to the query if the user is signed in on the .org site.
Go to more details on Persisting user sessions when switching to a new domain name (Ruby on Rails)
I wouldn't use the PHP style routings which pass ?php=bad style variables via :get especially if you're already using sessions. And also since then you'd have to parse the original URL and a bunch of other work.
Instead of using session[:edition_id] = 'UK' you can use:
cookies[:edition_id] = { value: 'UK', domain: 'some-app.com', expires: 1.year.from_now }
# or if you want to be google 10.years.from_now
When you use session[:edition_id] = 'UK' the value will be encrypted by rails and stored in the _myapp_session cookie. But in your case that probably doesn't matter much.
If you set the cookie explicitly on the domain you want to read it from, it will work without having to set odd ball variables via get and then trying to interpret them again on redirect.
Scenario: Multi-tenant rails app that uses subdomains and devise
Problem: I want the user to be able to log into mydomain.com then be forwarded to their own subdomain1.mydomain.com address as a logged-in user. Right now they can only log directly into their own subdomain.
I'm a relative Rails newbie and I can't find a simple solution (although it seems like there must be one). Ideally I would like to have mydomain.com and subdomain1.mydomain.com share one cookie, but my skills aren't there for writing custom middleware. Obviously since it's multitenant I can't share one session across all subdomains. Stuck on this for a few days and curious if there is a simple solution (such as a config.session_store domain setting) that I'm missing before I start looking at OAuth or other more cumbersome solutions. Any help will be appreciated!
Edit: Of course I only found this after posting. Log a user into their subdomain after registration with Rails and Devise . Will try the config.session_store domain: :all with a before filter recommendation and post any details if it doesn't work, seems like a good idea at least.
Edit: SOLUTION that worked for my particular Devise with subdomains setup:
class ApplicationController < ActionController::Base
before_action :check_subdomain
def check_subdomain
unless request.subdomain == "" or request.subdomain == session[:subdomain]
redirect_to request.protocol+request.domain
end
end
end
session_store.rb
My::Application.config.session_store :cookie_store, key: '_my_session' , :domain => :all, :tld_length => 2
Basically I set the subdomain in the session with session[:subdomain] at login and use that to scope the session to the current user. Otherwise when the domain is set to :all in session_store it breaks the scope. If the user is not authorized it redirects them to the public home page via the request.protocol (http:// or https://) +request.domain redirect. Simple! Now users can move between the base domain and their subdomain within the same session.
Cookie
From what you've posted, I'd estimate you have a problem with the tracking of your session cookie. We had a similar problem with our subdomain-powered application, which lead to the cookie being dropped each time you switched between the two
We found the remedy here:
Share session (cookies) between subdomains in Rails?
#config/initializers/session_store.rb
Your_App::Application.config.session_store :cookie_store, key: '_your_app_session', domain: :all, tld_length: 2
The trick is the tld_length argument - this allows you to define how many "levels" of the domain can be accommodated; IE if you're using a sub domain, you'll need to set the tld_length to reflect it
Forwarding
I'm not sure whether you have a problem with your forwarding or not; I'll give you some ideas anyway.
When you log into a "subdomain", unless you've got a true multi-tenancy implementation of Rails (where each user is stored in a different database), you should be able to allow the users to login on the main form, and then redirect them to the subdomain without an issue
Something you need to consider is the subdomain constraint will only be populated if you use _url path helpers:
<%= link_to "Your Name", path_url(subdomain: "subdomain_1") %>
The reason for this is the _path helper is relative to the base URL, and consequently cannot populate the subdomain option. Alternatively, the _url path helper points to the URL in its entirety -- allowing you to define the sub domain as required
--
If you send the request & continue to want the user to remain signed-in, you'll need to ensure you're able to persist the authentication across the sub-domains. IE if you have a single-sign in form on the "main" page, you'll want to ensure you can continue the authentication into the subdomains