We''re working on a on-line store app where the user picks items to buy in a non-secure area, and then submits their order details in a secure area (https://) that has a different domain name, but is the same physical server. Is there an easy way to preserve sessions across that jump to the other domain? Phil
On 12/2/05, Philip Edelbrock <phil-RqHDiG/X+WF8uvyFNTHIBg@public.gmane.org> wrote:> > > We''re working on a on-line store app where the user picks items to > buy in a non-secure area, and then submits their order details in a > secure area (https://) that has a different domain name, but is the > same physical server. > > Is there an easy way to preserve sessions across that jump to the > other domain?Since the session is tied to a cookie, probably not. This is just a guess since I haven''t looked closely at how rails sessions work in detail, but you could probably grab the session id from the cookie and pass it to the other site, which could then use that id to get the session object and copy whatever variables you need. You are probably far better off not doing that though and just have the whole order process on the same domain. Chris
Philip Edelbrock wrote:> We''re working on a on-line store app where the user picks items to > buy in a non-secure area, and then submits their order details in a > secure area (https://) that has a different domain name, but is the > same physical server. > > Is there an easy way to preserve sessions across that jump to the > other domain?Depending on what you mean by other domain. It''s possible to share cookies (and thus cookie-based sessions) between for example secure.company.tld and www.company.tld. But it''s not possible to share it between first.tld and second.tld. This restrictions are due to security reasons (so that cookies can''t be read by other Web sites) and are defined in the RFC 2109. http://www.w3.org/Protocols/rfc2109/rfc2109 I strongly recommend using the same domain for the whole site - it gets very complicated otherwise. What is your motivation for not using the same domain? Regards, Patrice
Patrice Neff wrote:> This restrictions are due to security reasons (so that cookies > can''t be read by other Web sites) and are defined in the RFC 2109. > http://www.w3.org/Protocols/rfc2109/rfc2109Correction: the current RFC for that is 2965 which obsoletes 2109. http://www.ietf.org/rfc/rfc2965.txt Patrice
On Dec 2, 2005, at 10:35 PM, Patrice Neff wrote:> Philip Edelbrock wrote: > >> We''re working on a on-line store app where the user picks items to >> buy in a non-secure area, and then submits their order details in >> a secure area (https://) that has a different domain name, but is >> the same physical server. >> >> Is there an easy way to preserve sessions across that jump to the >> other domain? > > Depending on what you mean by other domain. It''s possible to share > cookies (and thus cookie-based sessions) between for example > secure.company.tld and www.company.tld. But it''s not possible to > share it between first.tld and second.tld. This restrictions are > due to security reasons (so that cookies can''t be read by other Web > sites) and are defined in the RFC 2109. > http://www.w3.org/Protocols/rfc2109/rfc2109 > > I strongly recommend using the same domain for the whole site - it > gets very complicated otherwise. What is your motivation for not > using the same domain?Oh, we''re doing "www.myhappydomain.com" and "secure.myhappydomain.com" (making up the domain don''t bother looking it up ;''), so it''s the same domain technically. (and same IP) We use different names for legacy and technical reasons (don''t ask). Still though, I''ve used other environments in the pass which just pass the session ID across as a submit (GET or POST) and it automagicly preserves the session. I couldn''t find an easy way to do that Rails? Thanks! Phil
Philip Edelbrock wrote:> Oh, we''re doing "www.myhappydomain.com" and > "secure.myhappydomain.com" (making up the domain don''t bother > looking it up ;''), so it''s the same domain technically. (and same > IP) We use different names for legacy and technical reasons (don''t > ask). > > Still though, I''ve used other environments in the pass which just > pass the session ID across as a submit (GET or POST) and it > automagicly preserves the session. I couldn''t find an easy way to > do that Rails?You can change the cookie options by setting paramters of ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS. According to http://wiki.rubyonrails.com/rails/pages/HowtoChangeSessionOptions the key for setting the domain is "session_domain". So try the following code in your production environment (environments/production.rb): ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update (:session_domain => ".myhappydomain.com") Please tell me if this works. Regards, Patrice Neff
Phil, What you need is to set the rails session cookie to .myhappydomain.com instead of the default myhappydomain.com. You should do this anyway as you would want to preserve the sessions regardless if the users types your domain with www or without. Put the following code to conf/enviroments/production.rb ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update( :session_domain => ''.myhappydomain.com'') HTH, Zsombor -- Company - http://primalgrasp.com Glu4You - http://suprglu.com Thoughts - http://deezsombor.blogspot.com Philip Edelbrock wrote:> Oh, we''re doing "www.myhappydomain.com" and "secure.myhappydomain.com" > (making up the domain don''t bother looking it up ;''), so it''s the same > domain technically. (and same IP) We use different names for legacy > and technical reasons (don''t ask). > > Still though, I''ve used other environments in the pass which just pass > the session ID across as a submit (GET or POST) and it automagicly > preserves the session. I couldn''t find an easy way to do that Rails?
On Dec 2, 2005, at 11:47 PM, Patrice Neff wrote:> Philip Edelbrock wrote: > >> Oh, we''re doing "www.myhappydomain.com" and >> "secure.myhappydomain.com" (making up the domain don''t bother >> looking it up ;''), so it''s the same domain technically. (and same >> IP) We use different names for legacy and technical reasons >> (don''t ask). >> >> Still though, I''ve used other environments in the pass which just >> pass the session ID across as a submit (GET or POST) and it >> automagicly preserves the session. I couldn''t find an easy way to >> do that Rails? > > You can change the cookie options by setting paramters of > ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS. According to > http://wiki.rubyonrails.com/rails/pages/HowtoChangeSessionOptions > the key for setting the domain is "session_domain". So try the > following code in your production environment (environments/ > production.rb): > ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update > (:session_domain => ".myhappydomain.com") > > Please tell me if this works.Thanks. Seems simple enough. Unfortunately, I won''t be able to try it until we go live since this is an upgrade to the old site. I''m concerned that this may depend too much on browser/security settings and other client-side details. Since this would break the shopping process (the most important part) if it didn''t work, it would still be very bad if it didn''t work for a minority of folks. It also makes testing on a dev server a little trickier, too. In other development environments, I''ve ''bridged the gap'' by submitting the session id to the other domain, which forces the session, if needed. No Rails magic here to do the same? Phil
On 12/3/05, Philip Edelbrock <phil-RqHDiG/X+WF8uvyFNTHIBg@public.gmane.org> wrote:> > On Dec 2, 2005, at 11:47 PM, Patrice Neff wrote: > > > Philip Edelbrock wrote: > > > >> Oh, we''re doing "www.myhappydomain.com" and > >> "secure.myhappydomain.com" (making up the domain don''t bother > >> looking it up ;''), so it''s the same domain technically. (and same > >> IP) We use different names for legacy and technical reasons > >> (don''t ask). > >> > >> Still though, I''ve used other environments in the pass which just > >> pass the session ID across as a submit (GET or POST) and it > >> automagicly preserves the session. I couldn''t find an easy way to > >> do that Rails? > > > > You can change the cookie options by setting paramters of > > ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS. According to > > http://wiki.rubyonrails.com/rails/pages/HowtoChangeSessionOptions > > the key for setting the domain is "session_domain". So try the > > following code in your production environment (environments/ > > production.rb): > > ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update > > (:session_domain => ".myhappydomain.com") > > > > Please tell me if this works. > > Thanks. Seems simple enough. > > Unfortunately, I won''t be able to try it until we go live since this > is an upgrade to the old site. I''m concerned that this may depend > too much on browser/security settings and other client-side details.It doesn''t. But your problem is that even though your sites are all on the same domain, one is served via ssl and the other is not. Cookies won''t persist from a non ssl url to an ssl url. Chris