Access to top domain cookies from subdomain application - ruby-on-rails

My vbulletin forum sets some cookies on domain-name.com, and I'd like to read these cookies within my rails app which is on beta.domain-name.com. How can I do this?

If you set cookie's domain to: .domain-name.com (dot at the beginning), you can access it's cookies from subdomains, if domain is domain-name.com (withouth dot at the beginning) you can access it's cookies only from this domain.

Related

Are browser sessions unique for each subdomain?

Say I'm running a multi-tenant application that gives each organization its own portal via a subdomain.
Example -
orgA.application.com
orgB.application.com
etc...
Each subdomain reads from a different schema/tenant in my PSQL db, but is otherwise the same application.
In my ApplicationController I set the current_user as -
def current_user
if session[:user_id]
#current_user ||= User.find_by_id(session[:user_id])
end
end
There are few admin/superusers such as myself that have a user account on each subdomain. If I log into orgA with my user (id = 22), then my session gets set as user_id: 22.
Now say I want to switch over to orgB, where my user id is 44. If I log into orgB after having set my session in orgA, is there any chance I could accidentally log myself in as the user who is 22 on orgB?
More fundamentally, I'm trying to understand how a browser cookie session is set. From my understanding, it's a hash of variables that are encrypted and cached in the client's browser. Is that set per subdomain? Or do all subdomains of a particular site share the same cache/session cookie?
More importantly, how do I prevent cross pollination of sessions like in the example above? Is my current_user method too basic?
Thanks!
You're fundamentally asking about cookies here, to which the answer is relatively simple: cookies are not shared across subdomains unless you explicitly request it.
When you send the Set-Cookie HTTP header to create a cookie in the user's browser, you can choose whether or not to include a domain configuration option. That option controls which domain the cookie saves under and will be served to.
By default, if you send Set-Cookie with no domain option, the cookie will be set for the current hostname, which includes subdomains. That is, a cookie set on siteA.example.com will not be accessible to siteB.example.com.
If you send a domain option of example.com when you create your cookie on siteA.example.com, then the cookie will be accessible on both example.com and *.example.com, so all your sites will be able to access it.
For your situation, then, you should send the Set-Cookie header with no domain option. That's the default in most setups, including Rails so it's unlikely you need to do anything.

Customize Devise Cookie

I'm using devise in my rails application. I have it configured in a tenanted manor in which accounts/sessions are scoped to a subdomain. For example:
http://subdomain1.example.com/
http://subdomain2.example.com/
...
This works well but I want to have an additional subdomain for "super-admins" that allows those users navigate to all the other subdomains without the need to reauthenticate. This would be something like:
http://admin.example.com/
Is it possible to customize the cookie that gets generated on only the admin subdomain so that it is valid on all other subdomains?
Cookie domains are more inclusive the less specifically they are defined, so if you have a controller that only serves the admin subdomain, you should be able to set a cookie for the .example.com (or example.com) domain and expect it to be available to all other subdomains.
These docs describe the process for selectively setting the cookie domain.

Is it possible to access cookies which exists on another application in IIS?

I have 2 website on my IIS7, I can put the same domain for both of them, I want some cookies of both applications to be shared between them, so than I can create the cookie from one of them and read it from the other one, is that possible? do I need any custom configurations to do that?
note: My websites, 1 is asp.net forms website and the other is MVC.
When you create the cookie specify the domain:
var cookie = new HttpCookie("foo", "bar")
{
// indicates that only server side scripts can read this cookie
HttpOnly = true,
// indicates that the cookie will be available throughout the entire domain
Domain = "example.com"
};
Response.AppendCookie(cookie);
Now on the other application you will be able to access this cookie (assuming of course it is running on the same domain):
var cookie = Request.Cookies["foo"];
Cookies are sent by the client to any URL in the cookie's domain (and optional path).
They have nothing to do with the server-side application; as long as the application is in the cookie's domain name and path, it will receive all cookies.
If both applications are in top level, there is no need for any custom configuration but if any of the application is in sub domain, than you have properly set cookie so that sub-domains can access that. In that case, following web.config modification is needed.
<httpCookies domain=".yourdomain.com" />
yes if there are appending cookie not only add
like: Response.AppendCookie(your cookie name)
Remember that if it is in asp.net web site then you can get cookie by
string a = Request.Cookies["Your Cookie Name"].Value
some thing like that

can I have my domain authenticated for regualr domain and www.mydomain?

How can I have user automatically logs in to my website if he goes to mydomain.com or www.mydomain.com?
The problem is that cookies set on the main domain are not automatically accessible on the subdomain. Authentication in your application is handled through sessions, which are persisted between requests by a cookie. That the cookie should be accessible to your subdomains has to be set explicitly when the cookie is related. This question dealt with how:
Problem with sessions, subdomains and authlogic in Rails

Copying cookies from main domain to subdomain

My application has a userspace which used to be accessed by a url like domain.com/~username, but I am in the process of converting that to using subdomains instead (username.domain.com). However, I am running into an issue that I'm hoping someone might have an idea of how to get around.
Currently, visitors to a user's site get a cookie of the form user<id>_authentication (where <id> is the user ID of the site they're visiting), which is set to have the domain www.domain.com. However, now that I'm switching to subdomains, I want to find those cookies and transfer them to a new cookie called authentication per subdomain, using the subdomain as the cookie domain. However, the rails cookies array does not find the main domain cookies.
I know that if the old cookies were using .domain.com as the domain instead, they'd apply to the subdomain and would be present in cookies, but these cookies are already existing, and I'm trying to make the change as seamless for a user as possible -- so if they had an authentication cookie already for a site, I want them to not have to reauthenticate if at all possible.
Is there any way I can get the cookies from the main domain or does anyone have another suggestion of how I can transfer the cookies?
Update: Sorry, I didn't make it clear before, the cookie is only set if the visitor actively authenticates themselves by submitting a form on the user's site.
If you change the cookie domain to be more permissive (applying to more sub domains) you have no way to read the old, more restricted cookies except from the top level domain that used to work.
You will have to read the cookie, authenticate, and then write a new more permissive cookie before the cookie can be read by the subdomain.
You can roll out your migration logic in advance of the feature and hope you get most people. The rest will have to re-authenticate manually.
Personally I think they should have to re-authenticate.. it will only happen once, then they'll have the new ".domain.com" cookie.
But... One way to achieve this would be to check for the new cookie and when failing to find it, redirect to a new page on the main domain, providing the return url.
In that new page, check for the old style cookie, set the new style cookie, and redirect to the original url. if they don't have the old style cookie, redirect to the login area.
hope this helps.

Resources