config.action_controller.session[:secret] vs protect_from_forgery :secret

What I want to do is share the same session across many Rails applications. All of them are using Rails 2.2.2. I know that, to share the session, it’s (supposedly) just a matter of sharing the same key and secret among the apps, like this:

config.action_controller.session = {
:session_key => ‘_apps_session’,
:secret => ‘71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d5fc0996’
}

This being put in config/environment.rb of all the apps you want the session to be share with.

Now, some of the apps are returning in the HTTP response a session id (_apps_session=big number) that is different, even though they have the same session_key and secret.

One thing that I noted, though, is that these apps are also providing a :secret to protect_from_forgery, and the number is different from the number passed to the :secret on config.action_controller.session[:secret].

What I would like to know is, if I’m setting the secret in config.action_controller.session, do I need to pass it to protect_from_forgery? Or are they secrets of different nature?

Thanks,

Marcelo.

What I want to do is share the same session across many Rails applications.
All of them are using Rails 2.2.2. I know that, to share the session, it's
(supposedly) just a matter of sharing the same key and secret among the
apps, like this:

config.action_controller.session = {
:session_key => '_apps_session',
:secret =>
'71b94f37789bbedf9062616218dab005f2ffae65de2cac6313423a70eeff07189c7694d71d 5fc0996'
}

This being put in config/environment.rb of all the apps you want the session
to be share with.

Now, some of the apps are returning in the HTTP response a session id
(_apps_session=big number) that is different, even though they have the same
session_key and secret.

There is more you need to do: the browser won't sent the cookie from
app1.example.com when the user's browser makes a request to
app2.example.com. There is an option called something
like :session_domain that allows you to set the domain used by your
session cookie (i think it changed to :domain for 2.3)

One thing that I noted, though, is that these apps are also providing a
:secret to protect_from_forgery, and the number is different from the number
passed to the :secret on config.action_controller.session[:secret].

What I would like to know is, if I'm setting the secret in
config.action_controller.session, do I need to pass it to
protect_from_forgery? Or are they secrets of different nature?

The two are mostly unrelated if my memory is correct.

Fred