6

I have a blogs subdomain that works well, however, the signin is detached from all subdomains, and consequently, if a user signs in his cookie is only valid on the non-subdomain pages. How can I set my app to make the cookies be valid throughout all subdomains and normal pages?

I worked through this topic: Share session (cookies) between subdomains in Rails? but unfortunately without success. I even tried that long step by step rack middleware approach but wihtout success.

I am using Rails 3.2.13.

Any help appreciated! :)

Community
  • 1
  • 1
rails_has_elegance
  • 1,590
  • 4
  • 21
  • 37
  • passing the domain should work... are you sure you're testing correctly? – aguynamedloren Mar 29 '13 at 08:02
  • could you elaborate on that? i'm not so experienced with cookies etc. Look, this is happening when a user signs in: cookies[:remember_token] = user.remember_token. A normal standard cookie. How can I make this cookie work with all subdomains as well? – rails_has_elegance Mar 29 '13 at 19:24
  • 1
    Have you tried `:cookie_store, :key => '_your_app_session', :domain => ".yourdomain.com"` ? – Yuri Golobokov Apr 01 '13 at 05:50
  • yup, but doesn't change anything. the cookie doesn't seem to be valid on subdomains – rails_has_elegance Apr 01 '13 at 07:18
  • this worked out for me http://stackoverflow.com/questions/6301121/rails-how-can-i-share-permanent-cookies-across-multiple-subdomains?rq=1 – rails_has_elegance Apr 01 '13 at 07:31
  • You should add it as an answer and accept it if it worked. I'd suggest you retry the first link (http://stackoverflow.com/questions/10402777/share-session-cookies-between-subdomains-in-rails) though. My `session_store.rb` looks like this: `Web::Application.config.session_store :cookie_store, key: "_web_session_#{Rails.env}", :domain => :all` -- I found that forcing the key to changed when I added the domain: all fixed my problem, so now I just set it by environment to prevent clashes. – Alex Ghiculescu Apr 02 '13 at 12:11
  • If you set the domain to :all, does that allow other domains to read and write your cookie? Are you sure that you are not opening up a security hole by allowing any site to effectively read and reuse your auth cookie? At least by only opening to subdomains (using the .yourdomain.com notation) you maintain some control. Just suggesting that you should think through the ramifications of this. – Phil Apr 02 '13 at 14:26
  • somehow the domain: all in session_store.rb never worked out for me, I don't know why. I read about rails and localhost not working out really well in all cases in regards of cookies. – rails_has_elegance Apr 02 '13 at 19:44

2 Answers2

16

All I needed to do was to specify the domain when creating the cookie, as commented earlier above.

cookies[:remember_token] = { value: user.remember_token, domain: ".lvh.me" }
rails_has_elegance
  • 1,590
  • 4
  • 21
  • 37
1

Put domain: all at the end of the line in your config/session_store.rb

eg.

YourApp::Application.config.session_store :encrypted_cookie_store, key: '_yourapp_session', domain: :all

You also may need to change this parameter in your config/environments/production.rb

config.action_dispatch.tld_length = 2

If your domain is example.com then your tld_length (Top Level Domain Length) is 1 (which is the default). example.com.au is 2, 127.0.0.1.xip.io is 5, and so on.

Chris Aitchison
  • 4,656
  • 1
  • 27
  • 43