发表新帖
发表新帖

Share session between two rails4 applications

前端 未结
关注
2 1645
既然无缘
既然无缘 2021-01-16 08:01

I am creating a application with devise. there is two domain name 1) www.test.com and 2) www.hello.com both domain pointing to same application. so I want to share session(c

相关标签:
2条回答
  • 爱一瞬间的悲伤
    2021-01-16 08:44

    The basic issue here is the way in which cookies work (which of course sessions depend on). A cookie has a domain attribute and browsers only send cookies whose domain match the request host (there's a little bit of subtlety of the meaning of a period at the start of the domain)

    Furthermore, when setting a cookie, browsers will only accept a domain that is a parent domain of the current domain and which is not a public domain). For example if you are receiving a response from www.example.com it can set cookies for www.example.com or example.com, but not .com (Browsers have a list of which domain names shouldn't be allowed).

    All this to say that if your two apps don't share a common parent (as it is in your case) then you can't share cookies and thus you can't share a rails session.

    There are many ways to deal with this, a simple one is known as CAS (Central Authentication Service) protocol. The basic flow with this is

    1. User goes to hello.com and tries to access some protected resource (e.g. /home
    2. User is redirected to sso.example.com/service?=http://hello.com/home
    3. The user's identity is verified here as usual: the user either logs in, is recognised from a cookie etc.
    4. The sso service generates a ticket (an arbitary token) and redirects the user to `http://hello.com/home?ticket=ABC123
    5. The application at hello.com makes a (server side) request back to the SSO server, passing the ticket
    6. The SSO server responds indicating whether the ticket is valid. If the ticket is valid it will also include some information about the user (e.g. email)
    7. hello.com sets a session cookie so that subsequent requests can skip steps 2-6

    There are ruby implementations of cas (e.g. rubycas which has both a cas client and server) and devise strategies that use CAS. There are of course other ways you can do this, for example using oath, but CAS is somewhat simpler.

    0 讨论(0)
  • 失恋的感觉
    2021-01-16 08:59

    Rails maintain cookie which gets passed on to the server during every HTTP request. Please check the request headers under your network logs

    You will see something like this

    Cookie: some-junk-looking-session-data

    So sharing session between two entirely different rails application is a security issue and rails don't allow this kind of behaviour.

    However, there is an exception. A session can be shared if just the TLD changes. Eg: hello.com & hello.org.

    YourApp::Application.config.session_store :cookie_store,
  key: '_app_session',
  domain: :all

    References:

    https://github.com/rails/rails/commit/1091a6e9b700bd713c8a6818761a27aa72b1fe93

    0 讨论(0)
 看不清?
提交回复
热议问题