config.action_controller.session[:secret] vs protect_from_forgery :secret

rubyonrails-talk
1

What I want to do is share the same session across many Rails applications. All of them are using Rails 2.2.2. I know that, to share the session, it’s (supposedly) just a matter of sharing the same key and secret among the apps, like this:

config.action_controller.session = { :session_key => ‘_apps_session’, :secret => ‘71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d5fc0996’ }

This being put in config/environment.rb of all the apps you want the session to be share with.

Now, some of the apps are returning in the HTTP response a session id (_apps_session=big number) that is different, even though they have the same session_key and secret.

One thing that I noted, though, is that these apps are also providing a :secret to protect_from_forgery, and the number is different from the number passed to the :secret on config.action_controller.session[:secret].

What I would like to know is, if I’m setting the secret in config.action_controller.session, do I need to pass it to protect_from_forgery? Or are they secrets of different nature?

Thanks,

Marcelo.

2

What I want to do is share the same session across many Rails applications. All of them are using Rails 2.2.2. I know that, to share the session, it's (supposedly) just a matter of sharing the same key and secret among the apps, like this:

config.action_controller.session = { :session_key => '_apps_session', :secret => '71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d 5fc0996' }

This being put in config/environment.rb of all the apps you want the session to be share with.

Now, some of the apps are returning in the HTTP response a session id (_apps_session=big number) that is different, even though they have the same session_key and secret.

There is more you need to do: the browser won't sent the cookie from app1.example.com when the user's browser makes a request to app2.example.com. There is an option called something like :session_domain that allows you to set the domain used by your session cookie (i think it changed to :domain for 2.3)

One thing that I noted, though, is that these apps are also providing a :secret to protect_from_forgery, and the number is different from the number passed to the :secret on config.action_controller.session[:secret].

What I would like to know is, if I'm setting the secret in config.action_controller.session, do I need to pass it to protect_from_forgery? Or are they secrets of different nature?

The two are mostly unrelated if my memory is correct.

Fred