stackoom
  简体   繁体   中英

Share session between two rails4 applications

 原文  2015-03-28 07:36:47       ruby-on-rails/ ruby/ ruby-on-rails-4/ devise

Question

I am creating a application with devise. there is two domain name 1) www.test.com and 2) www.hello.com both domain pointing to same application. so I want to share session(current_user) between both app. user will login on (1) and it should access on domain(2).

Please suggest what's the best way todo it.

2 answers

solution1
 8 ACCPTED  2015-03-28 10:12:18

The basic issue here is the way in which cookies work (which of course sessions depend on). A cookie has a domain attribute and browsers only send cookies whose domain match the request host (there's a little bit of subtlety of the meaning of a period at the start of the domain)

Furthermore, when setting a cookie, browsers will only accept a domain that is a parent domain of the current domain and which is not a public domain). For example if you are receiving a response from www.example.com it can set cookies for www.example.com or example.com , but not .com (Browsers have a list of which domain names shouldn't be allowed).

All this to say that if your two apps don't share a common parent (as it is in your case) then you can't share cookies and thus you can't share a rails session.

There are many ways to deal with this, a simple one is known as CAS (Central Authentication Service) protocol. The basic flow with this is

  1. User goes to hello.com and tries to access some protected resource (eg /home
  2. User is redirected to sso.example.com/service?=http://hello.com/home
  3. The user's identity is verified here as usual: the user either logs in, is recognised from a cookie etc.
  4. The sso service generates a ticket (an arbitary token) and redirects the user to ` http://hello.com/home?ticket=ABC123
  5. The application at hello.com makes a (server side) request back to the SSO server, passing the ticket
  6. The SSO server responds indicating whether the ticket is valid. If the ticket is valid it will also include some information about the user (eg email)
  7. hello.com sets a session cookie so that subsequent requests can skip steps 2-6

There are ruby implementations of cas (eg rubycas which has both a cas client and server) and devise strategies that use CAS. There are of course other ways you can do this, for example using oath, but CAS is somewhat simpler.

solution2
 1  2015-03-28 07:46:27

Rails maintain cookie which gets passed on to the server during every HTTP request. Please check the request headers under your network logs

You will see something like this

Cookie: some-junk-looking-session-data

So sharing session between two entirely different rails application is a security issue and rails don't allow this kind of behaviour.

However, there is an exception. A session can be shared if just the TLD changes. Eg: hello.com & hello.org .

YourApp::Application.config.session_store :cookie_store,
  key: '_app_session',
  domain: :all

References:

https://github.com/rails/rails/commit/1091a6e9b700bd713c8a6818761a27aa72b1fe93

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Share a session between two web applications in device Sharing session data between two applications (Rails) How to share tables between two separate ruby on rails applications? Rails: is it possible to share session between two apps with two different databases? Share Devise session cookie between two Rails apps of different versions Share testing data between 2 rails applications Share session between a Rails 4 and a Rails 5 app How do I share a layout and assets between two separate rails applications? Share session (cookies) between subdomains in Rails? Share session between phpBB and a rails app
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM