Access rails session information by session id - ruby-on-rails

I'm using the default cookie based session store. Basically, I'm using heroku and I need to go from my app: http://test1.myapp.com over to heroku for one page: http://myapp.heroku.com/billing - so I need to access the session when I go to the heroku url. I'd like to access the session[:user_id] on the heroku page, but when is go to the heroku page a new the session is generated.
I was thinking I could pass the session_id on the main url in the querystring, but I don't know how to access it from the heroku url page.
I tried this:
session[params[:sid]][:user_id]
but it's not working. Is it possible to access session information if you know the session id? Or is there another way to read session information from another url (but all in the same rails app)?
Thanks.

In order for that to work you will need to set up your domain in Heroku so that the Heroku app is running under the same TLD as the main app. To do that, add your domain to your billing app like so:
$ heroku domains:add billing.myapp.com
Make sure to follow Heroku's instructions to set up your DNS.
Your billing app will then live at http://billing.myapp.com/billing (on Heroku). That way the controller should be able to access the same session and cookies.
Be sure to set the session domain in environments/production.rb in both apps:
config.action_controller.session = { :domain => ".myapp.com" }
I should also mention that you might consider using some kind of shared authentication or token authentication between the apps, since cookies can potentially be hacked or otherwise compromised.

Related

Ruby on Rails: Handle domain and subdomain level cookies simultaneosly

In an environment where a very big online application/web is divided into subdomains:
app1.mydomain.com
app2.mydomain.com
Each app is able to handle its subdomain session cookie.
However, in order to mantain certain data live through all apps, like session provider and account information in a multi-single-sign-on environment, it would be useful to also store/access session cookies at a domain level:
mydomain.com
What would be the best approach to handle simultaneously domain level and subdomain session cookies in Ruby on Rails? One issue would also be that this domain level cookie should be encrypted with the same hash across all applications/subdomains, which can be done, but doesn't fully integrate with Rails session design, unless all application share their secret token.
Best I could think of is use Rails default session handler for subdomain cookies, and create manually a domain level cookie handler, however it would be cool to be able to use session and domain_session as it is designed to be used more easily, though this is not a common issue.

Sharing session across rails apps on different subdomains

I am trying to implement a single-sign-on solution for multiple rails (v3.2) apps hosted at different subdomains of example.com
One app serves as an identity provider, uses devise for auth, and sits at users.example.com
The other apps rely on the identity provider for authentication, use devise+omniauth, with domains of [app1.example.com, app2.example.com, and example.com].
This blog entry inspired much of my implementation: http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/
I have it working fine, but the problem remains that the sessions are not shared so after I log in on the identity provider, I still have to make a call from each of the other apps to authenticate and I need this to be seemless to the user.
I tried using the same secret token at secret_token.rb, same session key at session_store.rb and :domain => :all (also tried '.example.com' and 'example.com' as values). Still no luck.
Doing the above, I see in a session.inspect that after login on the identity provider the session variable "warden.user.user.key" is populated. When I immediately go to the app on app1.example.com, the session.inspect shows the same session_id and _csrf_token but the "warden.user.user.key" variable is now missing.
I feel like I am missing something silly.. Any ideas what that may be?
I think there is another SO question about getting a single cookie to work across subdomains that would answer yours:
https://stackoverflow.com/a/10403338/2573896
Also, I can imagine that using a memcached cluster with dalli and memcached as your session store would work as well:
http://awesomerails.wordpress.com/2011/08/23/rails-3-memcached-session-store/
For the purpose of your application, the first solution makes more sense though.

Wildcard domains on heroku

How can I use wildcard domain on Heroku? My application is using subdomain.
I followed the Heroku custom domain article and mapped my *.mydomain.com to myapp.herokuapp.com. When I visit dev.mydomain.com it points to heroku app but on Heroku app I cant find the subdomain.
In short I want to use subdomain on heroku, like dev.myapp.herokuapp.com. Any suggestions?
The wildcard setup on Heroku instructs Heroku to point any request for a subdomain of given domain to your application.
But here stops Heroku responsibility. Then your application must be able to handle such requests at application level.
In Rails, you can inspect the request details with the request object in your controller. And you can access the specific subdomain with request.subdomain.
So, for example, if you added *.example.com and someone access foo.example.com, the request object will respond with the following values:
request.host
# => foo.example.com
request.subdomain
# => foo
Now it's your responsibility to use such information in your app according to what you are trying to achieve.

Rails Checkout SSL heroku

I have my app deployed with heroku and have a SSL configured to one of my subdomain(secure.mydomain.com). I would like only order part of my app to use this ssl so in my orders controller I have a before filter to redirect the request to my secure subdomain. However all the session information is lost when it is redirected. I think because of the subdomain. How do I redirect this so that session information (cart info which is stored in db and some id information) can be retrieved. Can some one help please.
THanks
KIran
In your config/intializers/session_store.rb change it to
Yourapp::Application.config.session_store :cookie_store, :key => '_yourapp_session', :domain=>:all
The secret-sauce is the domain... When set to all, cookies will be stored across all subdomains and the main domain.

How do I let a user sign in from a different domain on Authlogic?

[This is slightly different than a previous question about having multiple domains share the same cookie. It seemed like there wasn't an easy way to do that.]
I have a application at application.com. A customer has app.customer.com pointed at my site on Heroku, and I have everything set up so that it renders a specific version of app correctly. The issue is that I want a user at app.customer.com to be able to login. I believe authlogic is now setting the cookie on application.com, so while it verifies the credentials, no session on customer.com is ever created.
Since cookies cannot be shared across domains, you probably need to save an identifier in a database and also pass it through the url so when the client browser hits the new domain, it sends the token for the new domain session to see and match.
It should be a long cryptographically safe token, like a UUID to keep it from being guessed by attackers.
I'm not sure how the authlogic piece fits in though.

Resources