Rails and Merb session key and secret

NY1 · January 31, 2010, 9:51pm

Hi,

I have two apps, one in Rails, and one in Merb. Both use cookie based session store, and are in the same domain. I set the session key and secret to be exactly the same in both apps, but they don't seem to get the session data of each other.

When I try to print the cookies in each of them, I see that in the cookies hash the value to the session key are different, for example:

one can be:

{"_portal_session"=>"BAh7CDDOh5IYXNoV2l0aEluZGNjZXNzewgiC2FjdGlvbiIJc2hvdyIHaWQiEGZvb2JhcmNsb3duIg9jb250cm9sbGVyIgp1c2VyczoQX2NzcmoNbG9jYXRpb25ZfdG9rZW4iMVRTeDVtNnZ0bXJIUHFxd3ZzZG4vc1V0VGRJTGFYMEIxTGhieTBlmZmVyZW50QWDMjRQV1U9Og9zZXNzaW9uX2lkIiUxYTc2OWY0OWQ5OWFmNDJmYTRlMTkxNzRjYjNhNzgxYQ==--5bddbee8dffa3a496426dba8e77cd46279d75726", "_chartbeat"=>"ev0903n9acks6ac4", "logged-in-username"=>""}

while the other have the same key "_portal_session" with a completely different value.

And I suspect this is the cause for not being able to share session between the two. Is there a way to solve this problem?

Thanks.

Frederick_Cheung · February 1, 2010, 8:18am

Hi,

I have two apps, one in Rails, and one in Merb. Both use cookie based session store, and are in the same domain. I set the session key and secret to be exactly the same in both apps, but they don't seem to get the session data of each other.

In the same domain (ie rails.example.com & merb.example.com) or actually using the same hostname. If the former then you need to set the session domain to be a common suffix of the two (ie example.com) in this example.

Fred

NY1 · February 2, 2010, 12:55am

Although in the future they will probably be in two different sub domains, currently I'm experimenting both under localhost, with different ports.

And another interesting problem is that, though the two apps are not reading each others' session data, setting the session key and secret to be the same affects both. For example, after logging into the Rails app, go to the Merb one and log in, and go back to the Rails one and it's no logger logged in (same for the other direction). It appears to be that both apps try to overwrite the session, but may not necessarily be the case.

Any ideas?

Frederick_Cheung · February 2, 2010, 8:34am

Although in the future they will probably be in two different sub domains, currently I'm experimenting both under localhost, with different ports.

And another interesting problem is that, though the two apps are not reading each others' session data, setting the session key and secret to be the same affects both. For example, after logging into the Rails app, go to the Merb one and log in, and go back to the Rails one and it's no logger logged in (same for the other direction). It appears to be that both apps try to overwrite the session, but may not necessarily be the case.

Do Rails/Merb even store session data in the same way ?

Fred

NY1 · February 4, 2010, 1:58am

After looking at Rails and Merb's source code, I almost sure they store session data in the same way (but not verified with any official source).

One important thing I might forget to mention is that the session data in the two apps are not exactly the same. Something stores in the session of one may not be in the session of the other. Will this cause the failure of sharing session between the two, assuming they store sessions in the same way?