Ultimately we want single sign-on for two applications, one is a rails app and one .net.
Is there a way login to a rails application using devise and cookie session store, and have a .net read this cookie to determine what user is logged in? We are open to switching session stores if that would help.
We would like to keep all auth in Rails, but use the cookie session to allow or deny access to .net application.
Yes, you definitely can do this.
If the session is stored solely in cookies then all you need to do is parse the cookies like rails does. Take a look at ActionDispatch::Request::Cookies to get a better feel for how rails uses cookies.
If on the other hand you store the session in Memcache, Redis, Mysql (or any other external store) you can get the session id from the cookie then look it up in the external store. This is probably easier and slightly more DRY.
As long as you have access to the session cookies you should be able to mirror the Rails session manipulation code in your .NET application and "share" session. I encourage you to start by reading deeper into how Rails handles session.
Related
We have the requirement for doing a "Single Sign On" between Rails and Java applications. Both the applications are sharing the same database. Currently Rails is making use of default - Cookie based store and we are planning to switch it to Active Record session store, so that it will maintain the sessions in the database and which can be further leveraged for providing the seamless access into these 2 applications using SSO - by identifying the active session of the user.
So is there a way we could find the active session for a user from sessions table ? Would there be a chance of having multiple active sessions for a single user in sessions table ? If yes, we should be referring to most recent entry right ? Any additional things we should consider for doing SSO between these application ? Please note, both are sharing the same database.
Sharing db between multiple applications is not implementation of SSO.The standard sso implementation need a CAS(Central Authentication Service),which provide authentication service for other applications.All users access to other applications need rediect to CAS for authentication.
If you want to share session info by sharing db, this gem maybe help.Furthermore, it's bad idea to sharing db between multiple applications, it make application hard to maintain.
I am building a Rails app that will live in the subdomain of a Symfony 2 app (PHP). They will be used by the same type of users, and so we want them to go back and forth between the apps and ideally only login once.
I've seen some solutions on how to share session between subdomains for the same kind of apps, but no solution for sharing session between Symfony and Rails. Is it possible?
I was particularly intrigued that Rails session_store can use a database backend -- the default is cookie. That makes me wonder if both apps were to use the database backend, would they be able to share the sessions?
What other alternatives can I use to make this work, if it can work?
Sure it is possible, but I don't know how much work you have to put in ;)
The main thing is the Session ID. It all depends on that. You must make both applications use the same session storage, else it's impossible.
It doesn't matter if you store the SessionId in a database, in a file (would be pretty slow) or somewhere else, as long as both applications use it.
As you mentioned, Rails supports sessions inside a database out of the box. There's also another way in Rails: Memchached Storage. It's more or less an own database, which is optimized for fast key-value lookups.
So you should look if there's a Symfony plugin that supports either SessionId in database or in a Memcache Storage.
Have a look here: http://watsonbox.github.com/blog/2012/05/01/sharing-session-between-rails-and-php/
Forgot to mention: Both applications must also use the same SESSION_ID name inside the cookie ;)
I am interested in deploying a Node.js along side my Rails application server. Just as a reference, I plan on using socket.IO to create a chat server, so users will be able to chat inside of my web application.
My current application uses Authlogic to authenticate users. I would like to ensure that only a user cannot read other users' messages, so I will need to authenticate the user session somehow. My Node.js will have access to my database, and I know Rails can store the sessions inside of the database, so I would like to use this feature to authenticate chat users. The problem is, I have no idea how to go about doing that. I'm not even sure what information is present in the session, and I do not know how I can use this information to authenticate a user.
Thanks in advance!
The rails session is tricky to use from other languages: it's just a serialised ruby object and pretty much the only documentation for the marshal format is the implementation/rubyspec.
However authlogic doesn't actually store anything in the session: it has a separate cookie (user_credentials by default, assuming your model is User)
The data in that cookie is "#{user.persistence_token}::#{user.id}", so you should be able to easily verify this from your js code
I want to to decouple some parts in my rather large app and delegate them to an external node app, mainly for uploads but authentication remains a problem.
On the Rails side I'm using Devise, clients and forms will point to this new subdomain where the node app resides.
The node app is using express and I can connect to the shared database through the mysql module.
The idea is to use heroku for the main app, and delegate uploads to a node app running on a EC2 instance. In order to access the app I want to pass authentication informations, given that this endpoint will used by both API clients and web forms.
Devise has support for authentication tokens passed via URL, but I'm wondering what are your solutions.
Well if your subdomains are just 1-dot apart like www.myapp.example and uploads.myapp.example, you can share both the session cookie and the session info in the DB. I would just code the node app to validate the session cookie on every request the same way devise does and you're done. Is the upload subdomain user facing, as in does it render HTML to the browser or have to display a login form? If so, than the shared session table in the DB is probably not the best idea, but if the node.js is just for uploads and can redirect to www.myapp.example when the session is not valid, all should be well. Just make sure you set the domain field of the cookie to .myapp.example.
I'm interested in knowing whether a session is created by pages requested by web crawlers and bots. I am using MySQL as a the session store and would like to prevent requests by web crawlers and bots from creating unnecessary session entries.
Since your server creates sessions, every request to it, would create a session :)