Re-using session data over different domain names

Hi,

I am having a hard time here.

I will be managing different websites, let's say: www.site1.com and www.site2.com

When a user wants to login on to one of these sites, he will be redirected to: https://site1.com.mainsite.com

Once he gives successfully his credentials, I want him to get redirected to www.site1.com

I would like to use cookie session store.

The problem is that when he gets redirected, he still is an anonymous user. This is because when he logs in at site1.com.mainsite.com, the session gets set for site1.com.mainsite.com and not for www.site1.com

Do you know of a solution around that or is it impossible to solve?

I wanted to set session[:domain] but I get a request forgery error.

Fernando Perez wrote:

I will be managing different websites, let's say: www.site1.com and www.site2.com

When a user wants to login on to one of these sites, he will be redirected to: https://site1.com.mainsite.com

Once he gives successfully his credentials, I want him to get redirected to www.site1.com

I would like to use cookie session store.

The problem is that when he gets redirected, he still is an anonymous user. This is because when he logs in at site1.com.mainsite.com, the session gets set for site1.com.mainsite.com and not for www.site1.com

Do you know of a solution around that or is it impossible to solve?

I wanted to set session[:domain] but I get a request forgery error.

You could use an iframe so that the login is made in mainsite.com's cookie domain.

Or your redirect could include username and password parameters, suitably hashed and/or encrypted.

Crap, by laying back, I just figure out, that what I am trying to do is a kind of XSS attack.

Or your redirect could include username and password parameters, suitably hashed and/or encrypted.

I like this idea very much. Thank you for the tip.