Modifying the session cookie domain

rubyonrails-talk
1

Dear list,

the Rails app, I'm currently working on will run on more than one domain (e.g. example.com and example.org) and uses subdomains for different projects. To implement cross-project logins, I'd like the session cookie to cover the whole current domain (e.g. .example.com if somebody visits foo.example.com or bar.example.com, but .example.org if somebody visits foo.example.org).

I know how to configure the session cookie application-wide (by using the session() class method in a controller), but how can I modify the session cookie settings for each request? There doesn't seem to be instance methods to do so.

I don't think that modifying global settings in an action (like ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(...) ) is a good idea. It probably works in a development environment, but I suppose it will break when running in a production environment (where classes are not reloaded and class methods may affect other more than one request).

Somewhere on the web, I found a posting that recommended to override the _session_id cookie by setting it via cookies['_session_id'] = { ... }. However this did not work for me - the result contained an HTTP header with two _session_id cookies (one from the session plus the one I created manually, both having the same cookie name)

I'd appreciate any ideas :slight_smile:

regards, Andreas Neuhaus

2

All the option symbols for setting cookies are:

: :

maybe it's possible to get around the problem using the options expires (setting some session functionette..?) and domain. not sure if this may remotely help, but if it does, ...

Unfortunately that doesn't help. I need to modify session options within an action. It looks like this is not (directly) supported by rails.

I tried to modify request.session_options in a before_filter, but that didn't work. I suppose these session_options are only used when rails creates the session object and within an action, the session object does already exist.

And as told in my last posting, I don't like the idea to modify ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS, because I'm concerned about creating a race condition in production environments (where those default options are shared among multiple requests)

However, this morning I found a way that works for me. I used the :if parameter of the class method session() to modify the session_domain depending on the current request:

DOMAINS = ['example.com', 'example.org'].freeze

DOMAINS.each do |domain|   session :session_domain => ".#{domain}", :if => lambda { |request| request.host.dup.chomp!(domain) } end

This looks a bit complicated, but seems to be the only clean way.

regards, Andreas Neuhaus