0

I have read

But I am unable to get a solution for the following setup:

  • A SaaS Webapp in Rails is running under example.com
  • All users have a sumbdomain e.g. user1.example.com
  • Users can create a cname forwarding eg. exampleapp.user1.com -> user1.example.com

It is all working until a user tries to log in via exampleapp.user1.com. The SaaS app fails to set the session domain right, because it is configured static on app startup.

config.action_controller.session = {
  :session_key => '_example_session',
  :domain => ".example.com",
  :secret      => 'abc'
}

The Request fails with a ActionController::InvalidAuthenticityToken. And that is correct, because the domain changed from .example.com to exampleapp.user1.com.

How do I change the domain config during runtime? I know that the "incoming" domain exampleapp.user1.com belongs to user1, so I want to do something like that in the controller:

session :domain => 'exampleapp.user1.com'

Or can I always set the session domain on the current request domain? I know that it's possible somehow, because some apps provide that functionality.

Thanks in advance!

Community
  • 1
  • 1
Jesus Leier
  • 38
  • 4

2 Answers2

1

:domain => :all on the cookie config may work.

For CNAME'd domains, it will be set to .theirdomain.com

For your custom subdomain, it will go to .yourdomain.com, which may or may not be good

Peter Marreck
  • 11
  • 2
0

Just don't set the domain, since apparently you don't need to share a session cookie across example.com and user1.example.com. By not specifying a domain, the default cookie behavior is just to be set for the current request domain.

Benjamin Curtis
  • 1,570
  • 12
  • 13
  • Ok, that is a working solution. A whitelisting-check before cookie creation would have been nice... Now it has to be after cookie creation. – Jesus Leier Apr 16 '10 at 10:03