Cross domain sessions

Hi there,

I am wondering if anyone can help me. I've come across a bit of a sticky problem. I'm currently running a Facebook application which takes payment from users. In order to take payment securely we're had to break out of our app. http://apps.facebook.com/<ourapplication> to https://facebook.ourapplication.com/payments/create for example.

Once the payment is created and there's no need for https anymore we push the user back into Facebook to continue using the app. Ideally we do everything inside Facebook but that isn't possible. Unfortunately this means we're generating flash messages on the secure pages and redirecting to a different domain which means our flashes don't travel across both domains, and we get no flash message on return. Equally when we return to the payment page a second time the confirmation flash appears as its the first hit on the original domain since we stored the flash. This all makes sense, but we need a workaround.

Is there any way to store session data and maintain state other than in cookies. Do you still require cookies even if you use ActionRecord::SessionStore. I was under the impression some other unique identifier could be determined from your browser build, time of first page access or something, os and stored along with the session data in the database rather than an unique identifier stored in a cookie. This might be me being deluded however and be utter rubbish.

Any ideas on how to solve this problem?

Many thanks

RobL
http://www.robl.me

Rob Lacey wrote:
[...]

Is there any way to store session data and maintain state other than in
cookies.

URL parameters or hidden form fields, perhaps? Of course, these
approaches may be subject to session fixation attacks.

Do you still require cookies even if you use

ActionRecord::SessionStore.

You mean the DB session store? I'm not sure. Probably, though, because
how else would it know which DB record to look up?

I was under the impression some other unique
identifier could be determined from your browser build, time of first
page access or something, os and stored along with the session data in
the database rather than an unique identifier stored in a cookie. This
might be me being deluded however and be utter rubbish.

Well, if you can't get the cookie, then you'll have to start all over,
and the time of first page access will be different, so this won't do
the trick.

I'm surprised, however, that this is a problem in the first place. I
know that when I was processing payments with PayPal, I never had a
session issue.

Best,