I'm using Rails 4.2.2 (with Devise 3.4.1) and am changing the cookie_store domain from www.boundless.dev to .boundless.dev in order to share the same session across all of our subdomains (single sign-on).
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: '.boundless.dev'
If I make this change alone. Existing logged-in users who return to the site will end up with 2 _boundless_session cookies, one with domain boundless.dev and the other with www.boundless.dev. Somehow this makes logging out impossible.
Is it possible to make this change without logging all users out of the site?
I thought that I'd be able to write a method as a before_filter in my ApplicationController to delete the session cookie and replace it with a new one at .boundless.dev, but it doesn't work, and I suspect it has something to do with the remember_user_token cookie.
def update_session_cookie_domain
session_cookie = cookies['_boundless_session']
cookies.delete('_boundless_session', domain: 'www.boundless.dev')
cookies['_boundless_session'] = {
value: session_cookie,
domain: '.boundless.dev'
}
end
I was able to solve this problem by changing the cookie name used for the session.
So the original config was:
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: 'www.boundless.dev'
And I changed it to:
Boundless::Application.config.session_store :cookie_store, key: '_boundless_session_NEW', domain: '.boundless.dev'
I expected this to log users out, but it doesn't for some reason that I don't quite understand.
Unfortunately, I've yet to find a way to clear the old _boundless_session cookie, but at least now I can log out after having my session cookie updated to the more general domain.
Related
I am developing a rails application that supports various subdomains. There is a root domain such as example.com and a user logs in through it and then redirects a user to specific subdomain url, group.example.com and users can jump between subdomain urls depending on which group they have access to. How to I set up domain attribute in session cookie so that it would not be available between subdomains (ex2.example.com and ex3.example.com)?
EDIT:
I am sorry I meant session cookies. I want to send different cookies for each subdomain urls.
Have a look at the documentation of the Cookie class. You can specify the domain when you create/delete the cookie.
cookies[:name] = {
value: 'a yummy cookie',
domain: 'ex2.example.com'
}
Of course, the value can be taken from the current request.
cookies[:name] = {
value: 'a yummy cookie',
domain: request.host
}
Here's the options
domain: nil # Does not sets cookie domain. (default)
domain: :all # Allow the cookie for the top most level
# domain and subdomains.
domain: %w(.example.com .example.org) # Allow the cookie
# for concrete domain names.
just add domain: my.subdoma.in to the cookie
btw: the user cookie should be available in all subdomains and you need to controller-check if he is having access to the group. this is the better way to do.
I have an issue with wanting to use session across domains (not subdomain). Eg, I have .co.uk, .com.au, and .com all for the same address.
I know for subdomains I can use something like:
SomeApp::Application.config.session_store :cookie_store, key: '_some_app_session', domain => :all, :tld_length => 2
But I would like my solution to work between actually domains to have one set of sessions/cookies.
As your default session store is 'cookie_store'
You could just do it the same way as when you might send an email link with an authentication token. Check to verify that the cookie is correct on example.org and, if it is, redirect them to:
http://example.com?token=
and then check to make sure the token matches the one you have in the DB when they arrive. If the token does match, create the session cookie for the example.com domain and then change the token in the database.
This will successfully transfer from one domain to another while providing persistent login on the new domain (via cookie) and shutting the door behind them by changing the authentication token in the DB.
EDIT
To answer your question below, I don't think you need middleware or anything fancy. You could do a simple before filter in the application controller of example.org, something like:
before_filter :redirect_to_dot_com
...
def redirect_to_dot_com
url = "http://example.com" + request.fullpath
url= destination + (url.include?('?') ? '&' : '?') + "token=#{current_user.token}" if signed_in?
redirect_to url, status: 301
end
That will redirect the user either way, and append the token to the query if the user is signed in on the .org site.
Go to more details on Persisting user sessions when switching to a new domain name (Ruby on Rails)
I wouldn't use the PHP style routings which pass ?php=bad style variables via :get especially if you're already using sessions. And also since then you'd have to parse the original URL and a bunch of other work.
Instead of using session[:edition_id] = 'UK' you can use:
cookies[:edition_id] = { value: 'UK', domain: 'some-app.com', expires: 1.year.from_now }
# or if you want to be google 10.years.from_now
When you use session[:edition_id] = 'UK' the value will be encrypted by rails and stored in the _myapp_session cookie. But in your case that probably doesn't matter much.
If you set the cookie explicitly on the domain you want to read it from, it will work without having to set odd ball variables via get and then trying to interpret them again on redirect.
Scenario: Multi-tenant rails app that uses subdomains and devise
Problem: I want the user to be able to log into mydomain.com then be forwarded to their own subdomain1.mydomain.com address as a logged-in user. Right now they can only log directly into their own subdomain.
I'm a relative Rails newbie and I can't find a simple solution (although it seems like there must be one). Ideally I would like to have mydomain.com and subdomain1.mydomain.com share one cookie, but my skills aren't there for writing custom middleware. Obviously since it's multitenant I can't share one session across all subdomains. Stuck on this for a few days and curious if there is a simple solution (such as a config.session_store domain setting) that I'm missing before I start looking at OAuth or other more cumbersome solutions. Any help will be appreciated!
Edit: Of course I only found this after posting. Log a user into their subdomain after registration with Rails and Devise . Will try the config.session_store domain: :all with a before filter recommendation and post any details if it doesn't work, seems like a good idea at least.
Edit: SOLUTION that worked for my particular Devise with subdomains setup:
class ApplicationController < ActionController::Base
before_action :check_subdomain
def check_subdomain
unless request.subdomain == "" or request.subdomain == session[:subdomain]
redirect_to request.protocol+request.domain
end
end
end
session_store.rb
My::Application.config.session_store :cookie_store, key: '_my_session' , :domain => :all, :tld_length => 2
Basically I set the subdomain in the session with session[:subdomain] at login and use that to scope the session to the current user. Otherwise when the domain is set to :all in session_store it breaks the scope. If the user is not authorized it redirects them to the public home page via the request.protocol (http:// or https://) +request.domain redirect. Simple! Now users can move between the base domain and their subdomain within the same session.
Cookie
From what you've posted, I'd estimate you have a problem with the tracking of your session cookie. We had a similar problem with our subdomain-powered application, which lead to the cookie being dropped each time you switched between the two
We found the remedy here:
Share session (cookies) between subdomains in Rails?
#config/initializers/session_store.rb
Your_App::Application.config.session_store :cookie_store, key: '_your_app_session', domain: :all, tld_length: 2
The trick is the tld_length argument - this allows you to define how many "levels" of the domain can be accommodated; IE if you're using a sub domain, you'll need to set the tld_length to reflect it
Forwarding
I'm not sure whether you have a problem with your forwarding or not; I'll give you some ideas anyway.
When you log into a "subdomain", unless you've got a true multi-tenancy implementation of Rails (where each user is stored in a different database), you should be able to allow the users to login on the main form, and then redirect them to the subdomain without an issue
Something you need to consider is the subdomain constraint will only be populated if you use _url path helpers:
<%= link_to "Your Name", path_url(subdomain: "subdomain_1") %>
The reason for this is the _path helper is relative to the base URL, and consequently cannot populate the subdomain option. Alternatively, the _url path helper points to the URL in its entirety -- allowing you to define the sub domain as required
--
If you send the request & continue to want the user to remain signed-in, you'll need to ensure you're able to persist the authentication across the sub-domains. IE if you have a single-sign in form on the "main" page, you'll want to ensure you can continue the authentication into the subdomains
My site is a single page rails app that interacts with a rails api. I recently added an api endpoint that allows a user to log out via ajax.
class Api::SessionsController < Api::ApplicationController
...
# DELETE /api/sessions/destroy
def destroy
session.delete(:user_id)
render json: { success: true }
end
...
end
This endpoint was working fine until I altered my session store to keep the session around when a user quits their browser.
config/initializers/session_store.rb diff:
AppName::Application.config.session_store :cookie_store,
- key: session_key, domain: TOP_LEVEL_DOMAIN
+ key: session_key, domain: TOP_LEVEL_DOMAIN, expire_after: 1.month
Now, after hitting my sessions#destroy endpoint via ajax, reloading the page logs the user back in, and still has the user_id in the session.
My guess is that the browser's cookie is not being overwritten by the DELETE ajax request (like it was before I added the expire_after parameter), but this is very tough to verify because the stored cookie is encrypted.
Does anyone have any solution ideas or debugging paths?
Does anyone know what is happening here?
When you set :expire_after to set the expiration of the cookie, it causes the cookie to persist to the given date even when the browser is closed. This means that when you change something in the session of Rails, you have to update the cookie. The simplest to way to achieve that is recreating the cookie.
I got my session variables being saved to all subdomains on my site via this:
Site::Application.config.session_store(
:cookie_store,
:key => '_site_session',
:domain => Settings.domain,
# :secure => (Rails.env.production? || Rails.env.staging?),
:http_only => true)
where Settings.domain = '.site.com'
However, the way my site is setup, each account has their own subdomain. So this caused a big error since when someone logged in, they could enter any other subdomain and have access to that account (not all information, but some..weird).
So, what I want to do is allow people to share session variables with public subdomains (signin.site.com and signup.site.com) as well as their own personal subdomain (account1.site.com). However, those are the only ones that should be able to share it. Is there a way to specify that?
I'm assuming you handle logins on a subdomain like signin.site.com. It's not allowed to set the cookie for *.site.com then.
Handling the authentication and setting the cookie from http://site.com should solve the problem.