Access session across subdomains (Rails 4)

Question

Hi i have a multitenant rails 4 application that has a simple sign in solution. However each user has a subdomain that the user gets redirected to after login.

The problem is that as they arrive at the subdomain they are not logged in anymore due to the known problem that sessions are not shared across subdomains.

I have tried several different solution to this problem, however i do not get the session to persist across subdomains. I believe this might be due to my development environment?

I have tried all answers to this question: Share session (cookies) between subdomains in Rails?

Nothing seems to work. Is there something I'm missing here? Is it the browser or rails 4 or....? How should i approach this problem?

Edit: My sessions_store initializer:

Imagesite::Application.config.session_store :cookie_store, key: '_imagesite_session', :domain => "imagesite.dev"

I have also tried ".imagesite.dev" and :all.

I also tried the solution described by Evan at the other question linked above.

Examples of subdomains: "ole.imagesite.dev" or "ole2.imagesite.dev" just basic subdomain based on what the user has entered as his/her subdomain.

What does your development environment look like? Are you using pow.cx? Have you tried deleting your browser's cookies? — Ryenski, Oct 04 '13 at 15:45
Hi, yes I'm using pow.cx and i have tried to delete cookies. But i have also tried starting up a server and accessing it with lvh.me:3000. — Ole Henrik Skogstrøm, Oct 04 '13 at 17:38

score 15 · Accepted Answer · answered Oct 20 '13 at 13:46

I finally solved it!

I had to set the domain when i create the auth_token cookie. like this:

cookies[:auth_token] = { value: user.auth_token, domain: ".lvh.me" }

and like this to delete the cookie:

cookies.delete(:auth_token, :domain => '.lvh.me')

Complete example:

  def create
    user = User.find_by_username(params[:username])
    user ||= User.find_by_email(params[:username])
    if user && user.authenticate(params[:password])
      # session[:user_id] = user.id
        if params[:remember_me]
        cookies.permanent[:auth_token] = { value: user.auth_token, domain: ".lvh.me" }
      else
        cookies[:auth_token] = { value: user.auth_token, domain: ".lvh.me" }
      end
        redirect_to root_url(:subdomain => "#{current_user.subdomain}"), notice: "You are now loged in."
    else
        flash.now.alert = "Email or password is invalid"
        render "new"
    end
  end

  def destroy
    #session[:user_id] = nil
    cookies.delete(:auth_token, :domain => '.lvh.me')
    redirect_to root_url(:subdomain => false), notice: "Loged out"
  end

builder · Answer 2 · 2016-03-25T02:08:28.660

5

With Rails 4.2.5.1, the following works for me:

Rails.application.config.session_store :cookie_store, key: '_magic_session', tld_length: 2

Yes, without the domain: option.

Update: It's better to set the domain: option to :all.

Rails.application.config.session_store :cookie_store, key: '_magic_session', domain: :all, tld_length: 2

It may has to be domain: "magic.com" if env["HTTP_HOST"] holds an IP address, not a domain name, in the development environment or behind a proxy. For nginx, proxy_set_header HOST $host:$server_port; can preserve the domain name.

edited Mar 25 '16 at 02:08

answered Mar 16 '16 at 03:11

builder

251
4
11

@xiaopang, That's my wish, too. I tried not to hard-code it, but in some combination of domain only and subdomains, the session wasn't retrieved. That's after clearing the browser's cookies. – builder Mar 22 '16 at 22:47
yep, seems like it is not possible, I just added environment check development/production to set different session store. – fuyi Mar 24 '16 at 10:27
@xiaopang: See my edited update... our wish has been granted :). No need to set different session stores. – builder Mar 25 '16 at 02:11
it works, but I think I need to set `tld_length: 2` to `tld_length: 3` if main domain name is sub.domain.co.uk? Thanks! – Gediminas Šukys Sep 29 '16 at 06:18
Not tested it myself, but I'm pretty sure that should be the case. – builder Sep 30 '16 at 00:04

score 0 · Answer 3 · answered Oct 04 '13 at 21:23

0

Manually setting the domain in the session initializer has always worked for me. Can you post your initializer? And also maybe some examples of the subdomains that you're trying to move between?

answered Oct 04 '13 at 21:23

Jeremy Green

8,547
1
29
33

And you restarted the server each time after changing the initializer? – Jeremy Green Oct 04 '13 at 22:12
Yes. using "touch tmp/restart.txt" on my pow server. – Ole Henrik Skogstrøm Oct 04 '13 at 22:15
However what is the best way to test if i can access the session? Right now i just try getting the "current_user". – Ole Henrik Skogstrøm Oct 04 '13 at 22:16
Are you setting cookies for 'imagesite.dev' but then accessing it via lvh.me? (imagesite.dev does not resolve to anything for me...) – Jeremy Green Oct 05 '13 at 01:22
imagesite is the name of my project. I'm using pow server so when you set it up the pow server address becomes the name of the server pluss ".dev". Hence "imagesite.dev". I can use a normal server and visit lvh.me but it has not worked ether so far. – Ole Henrik Skogstrøm Oct 05 '13 at 13:22

Access session across subdomains (Rails 4)

3 Answers3