Modifying the session cookie domain

Dear list,

the Rails app, I'm currently working on will run on more than one domain (e.g.
example.com and example.org) and uses subdomains for different projects. To
implement cross-project logins, I'd like the session cookie to cover the
whole current domain (e.g. .example.com if somebody visits foo.example.com or
bar.example.com, but .example.org if somebody visits foo.example.org).

I know how to configure the session cookie application-wide (by using the
session() class method in a controller), but how can I modify the session
cookie settings for each request? There doesn't seem to be instance methods
to do so.

I don't think that modifying global settings in an action (like
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(...) ) is a good
idea. It probably works in a development environment, but I suppose it will
break when running in a production environment (where classes are not
reloaded and class methods may affect other more than one request).

Somewhere on the web, I found a posting that recommended to override the
_session_id cookie by setting it via cookies['_session_id'] = { ... }.
However this did not work for me - the result contained an HTTP header with
two _session_id cookies (one from the session plus the one I created
manually, both having the same cookie name)

I'd appreciate any ideas :slight_smile:

regards,
Andreas Neuhaus

All the option symbols for setting cookies are:

:
:

maybe it's possible to get around the problem using the options expires
(setting some session functionette..?) and domain.
not sure if this may remotely help, but if it does, ...

Unfortunately that doesn't help. I need to modify session options within an
action. It looks like this is not (directly) supported by rails.

I tried to modify request.session_options in a before_filter, but that didn't
work. I suppose these session_options are only used when rails creates the
session object and within an action, the session object does already exist.

And as told in my last posting, I don't like the idea to modify
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS, because I'm concerned
about creating a race condition in production environments (where those
default options are shared among multiple requests)

However, this morning I found a way that works for me. I used the :if
parameter of the class method session() to modify the session_domain
depending on the current request:

DOMAINS = ['example.com', 'example.org'].freeze

DOMAINS.each do |domain|
  session :session_domain => ".#{domain}", :if => lambda { |request|
request.host.dup.chomp!(domain) }
end

This looks a bit complicated, but seems to be the only clean way.

regards,
Andreas Neuhaus