I have set up an asset host at assets.domain.com but it appears that cookies are being sent with requests to assets.domain.com. I read somewhere that if you have cookies set to domain.com then this will happen.
So I guess I'm trying to set cookies only to www.domain.com so that requests to assets.domain.com will not send cookies. (I also have a permanent redirect from domain.com to www.domain.com)
How do I do this in Rails??
To set a cookie on specific domain:
cookies[:my_cookie] = {:value => 'Tasty Cookie', :domain => 'www.domain.com'}
One gotcha is that you must also specify the domain when you delete domain-specific cookies:
cookies.delete(:my_cookie, :domain => 'www.domain.com')
To make sure I don't forget, I usually make a helper for setting and deleting cookies where the default domain is always specified.
Related
I've been trying to use the rails ActionController cookies tool to expire a cookie that is set by a different application on the same subdomain.
Essentially a legacy app sets a cookie called "ORG_SID" that contains a UUID session_id as it's value, an expire set to "Session", etc.
In my controller I've tried:
cookies.delete('ORG_SID', domain: :all)
cookes['ORG_SID'] = {:expires => Time.at(0), :domain => :all}
I've also tried the exact subdomain of the cookie as well as the TLD of the cookie as inputs to domain.
In each case the cookie is unmodified, by the controllers actions.
I am developing a rails application that supports various subdomains. There is a root domain such as example.com and a user logs in through it and then redirects a user to specific subdomain url, group.example.com and users can jump between subdomain urls depending on which group they have access to. How to I set up domain attribute in session cookie so that it would not be available between subdomains (ex2.example.com and ex3.example.com)?
EDIT:
I am sorry I meant session cookies. I want to send different cookies for each subdomain urls.
Have a look at the documentation of the Cookie class. You can specify the domain when you create/delete the cookie.
cookies[:name] = {
value: 'a yummy cookie',
domain: 'ex2.example.com'
}
Of course, the value can be taken from the current request.
cookies[:name] = {
value: 'a yummy cookie',
domain: request.host
}
Here's the options
domain: nil # Does not sets cookie domain. (default)
domain: :all # Allow the cookie for the top most level
# domain and subdomains.
domain: %w(.example.com .example.org) # Allow the cookie
# for concrete domain names.
just add domain: my.subdoma.in to the cookie
btw: the user cookie should be available in all subdomains and you need to controller-check if he is having access to the group. this is the better way to do.
I am trying to use Rails 4 routing to redirect to a particular subdomain ("secure") for one page only (the shopping cart). (The reason I need to do this is that the SSL certificate is available only on the secure subdomain.) Currently, I have the following:
get '/cart' => redirect { |p, req| req.url.sub('http:// site.com', 'http://secure.site.com') }, :constraints => { :host => 'site.com' }
This works, but then every subsequent link that the user clicks on retains the secure subdomain when I'd like it to default back to the root domain (site.com; no www).
What's the best way to achieve this?
The reason for that is that usually all link href attributes are relative paths, so '/controller/action', not 'http://example.com/controller/action'. The relative path means that the same (sub)domain is assumed.
You could change all the links to use _url instead of _path, but I would recommend against it.
Instead I would suggest to write a rack middleware and do redirection there based on the full path or handle it at the application server (nginx, apache etc) configuration level.
Or even better, why don't you have all your links under https? Sounds like the best way to me:)
I got my session variables being saved to all subdomains on my site via this:
Site::Application.config.session_store(
:cookie_store,
:key => '_site_session',
:domain => Settings.domain,
# :secure => (Rails.env.production? || Rails.env.staging?),
:http_only => true)
where Settings.domain = '.site.com'
However, the way my site is setup, each account has their own subdomain. So this caused a big error since when someone logged in, they could enter any other subdomain and have access to that account (not all information, but some..weird).
So, what I want to do is allow people to share session variables with public subdomains (signin.site.com and signup.site.com) as well as their own personal subdomain (account1.site.com). However, those are the only ones that should be able to share it. Is there a way to specify that?
I'm assuming you handle logins on a subdomain like signin.site.com. It's not allowed to set the cookie for *.site.com then.
Handling the authentication and setting the cookie from http://site.com should solve the problem.
When I added this to my staging.rb:
config.action_controller.session = {:domain => '.mysite.com'}
... and I try to access a subdomain after already being logged in, it doesn't recognize me and sends me back to the root domain. If I try to logout, it logs me back in.
The only way I get this to work is by removing the cookies in the browser manually.
How do I reset all users cookies when I make a change like this in Rails? Is there a standard approach?
You should be able to invalidate all sessions by changing the secret used to encode cookie-based sessions. This is could be assigned like this:
config.action_controller.session = {
:domain => '.mysite.com',
:secret => 'somethingreallyrandomnotactuallythis'
}
In Rails 3 this is done in config/initializers/secret_token.rb:
My::Application.config.secret_token = 'somethingreallyrandomnotactuallythis'