if I access the same rails app from different domain names, can they all share the same session? at the moment, domain1.com and domain2.com seem to have their own sessions even though they point to the same rails app. Can i change this? thanks alan
On Apr 3, 2005 12:10 AM, Alan Bullock <liststuff-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> if I access the same rails app from different domain names, can they > all share the same session? > > at the moment, domain1.com and domain2.com seem to have their own > sessions even though they point to the same rails app. Can i change > this?Yes and no. No because Rails tracks sessions using cookies, and cookies can''t cross domains, it''s a security thing. Yes, because if you hack things around you might be able to craft links that pass the session id between domains, but don''t ask me how. -- Phillip Hutchings http://www.sitharus.com/ sitharus-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org / sitharus-QrR4M9swfipWk0Htik3J/w@public.gmane.org
Hi! On Sun, 03 Apr 2005, Phillip Hutchings wrote the following:> No because Rails tracks sessions using cookies, and cookies can''t > cross domains, it''s a security thing.hmm, that''s not true, there''s a class ''ActiveRecordStore'' in /lib/action_controller/session/active_record_store.rb ----- # Active Record database-based session storage class. # # Implements session storage in a database using the ActiveRecord ORM library. Assumes that the database # has a table called +sessions+ with columns +id+ (numeric, primary key), +sessid+ and +data+ (text). # The session data is stored in the +data+ column in the binary Marshal format; the user is responsible for ensuring that # only data that can be Marshaled is stored in the session. # # Adding +created_at+ or +updated_at+ datetime columns to the sessions table will enable stamping of the data, which can # be used to clear out old sessions. # # It''s highly recommended to have an index on the sessid column to improve performance. ----- so you''ll have to find out how to use that and then bind your users to such a stored session... bye Wolfgang
On 4.4.2005, at 15:46, Wolfgang Klinger wrote:> > Hi! > > On Sun, 03 Apr 2005, Phillip Hutchings wrote the following: >> No because Rails tracks sessions using cookies, and cookies can''t >> cross domains, it''s a security thing. > > hmm, that''s not true, there''s a class ''ActiveRecordStore'' in > /lib/action_controller/session/active_record_store.rbWhat do you mean is not true? Rails sure uses cookies to implement sessions. active_record_store is just one way to store your session data. But there must be a way to identify the session user is surfing on, and that''s where cookies are needed. Otherwise the session id would have to be part of the url (รก la Amazon), which I at least find a lot worse a method considering the user experience. It''s the way cookies work that makes it impossible to share cookies between domains. Browser only returns the cookie to the same server where it came from. //jarkko -- Jarkko Laine http://jlaine.net http://odesign.fi _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Greetings On Apr 4, 2005 8:46 AM, Wolfgang Klinger <wolfgang-qRyVSpHmpvQsV2N9l4h3zg@public.gmane.org> wrote:> On Sun, 03 Apr 2005, Phillip Hutchings wrote the following: > > No because Rails tracks sessions using cookies, and cookies can''t > > cross domains, it''s a security thing. > > hmm, that''s not true, there''s a class ''ActiveRecordStore'' in > /lib/action_controller/session/active_record_store.rbWolfgang, While your suggestion would help if the domain names were the same. This would not help in a situation where he wanted to share sessions between site1.com and site2.com. Since Rails uses cookies to store the session ID with the user, once the user browses from site1.com to site2.com, he/she will be issued a new session id. Cookies are required to be bound to a domain name. One solution (I''m not sure how easy it would be to implement within rails or if rails has support for it already) would be to pass the sessionId to site2.com from site1.com in the URL. This would make for an ugly URL, but would only be necessary for that one transition. Regards, -JD-