Set up cookies key on a request basis

Hi there o/

I’ve been struggling a bit with sessions / subdomains on IE, came up with a hack and wonder if that’s something that would make sense on rails core itself.

In case you’re not familiar:

IE behaves different from other browsers in that it seems to read cookies from the top level domain while other browsers only read cookies from the exact same base url, for example:

  • Generate a default new rails app then rails g scaffold posts
  • Put anything in the session on posts#index, e.g. session[:check] = 'lol'
  • Print the value on the view posts/index.html.erb, e.g. <%= session[:check] %>
  • Visit to set the session.
  • Reload the page at will. You should see the value printed.
  • Visits and you shouldn’t see the value printed.

Go through the steps above on Firefox and IE and you should see that the value set in is also persisted on I think this might be cool for many apps but sometimes you really do not want to share session among subdomains.

After some reading on rails / rack request classes I found this comment on rack saying you can set the session service options on a request basis. But it seems to be out dated / no longer valid unless I misunderstood it. Plus I couldn’t find any clear way to set the session cookie key on a request basis.

The current hack is here Set CookieStore key on a request basis · GitHub

Is that something you think it’s worth having in rails core? I mean a documented way to set cookie store keys on a request basis. I’m aware one can get around the issue by forcing users to “www.domain.*” but it feels like we could also handle it without forcing to “www”.

I couldn’t find any previously related topics here or on github rails issues so sorry if this has been discussed. Feedback much appreciated thanks.