We''re going to have problems keeping cookies across domains. We want people to shop in one domain (e.g. "booksareus.com") and then checkout on the same server securely under a different domain (e.g. "greatbooks.com"). When we make the jump to the secure domain (the checkout link) can we submit the user''s session ID along with it and have it ''stick'' somehow so we don''t lose their cart? Thanks! Phil
Hi ! 2005/12/13, Philip Edelbrock <phil@edgedesign.us>:> We're going to have problems keeping cookies across domains. We want > people to shop in one domain (e.g. "booksareus.com") and then checkout > on the same server securely under a different domain (e.g. > "greatbooks.com"). When we make the jump to the secure domain (the > checkout link) can we submit the user's session ID along with it and > have it 'stick' somehow so we don't lose their cart?In an app I'm coding currently, I pass the session ID in the URL, as query parameters. CGI knows how to extract it from the request instead of the cookies. I don't know though if a cookie is then sent along on the subsequent response. Haven't checked. Bye ! -- François Beausoleil http://blog.teksol.info/ _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Philip, This is what I do in environment_mods.rb (required at the end of environment.rb) for one project that has 10+ rails sites sharing sessions. session_options = Hash.new session_options[:database_manager] = CGI::Session::PStore session_options[:prefix] = ''xyz_'' session_options[:tmpdir] = ''/home/xyz/pstore'' # Cookie session_options[:session_domain] = ''.xyz.com'' session_options[:session_key] = ''xyzapp'' # Assign ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS.update(session_options) Hope it helps, Adrian Madrid HyperX Inc. Mobile: 801.815.1870 Office: 801.566.0670 aemadrid-kSB444ljgzMmlAP/+Wk3EA@public.gmane.org www.hyperxmedia.com 9000 S. 45 W. Sandy, UT 84070 Philip Edelbrock wrote:> We''re going to have problems keeping cookies across domains. We want > people to shop in one domain (e.g. "booksareus.com") and then checkout > on the same server securely under a different domain (e.g. > "greatbooks.com"). When we make the jump to the secure domain (the > checkout link) can we submit the user''s session ID along with it and > have it ''stick'' somehow so we don''t lose their cart? > > Thanks! > > > Phil > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Francois Beausoleil wrote:> Hi ! > > 2005/12/13, Philip Edelbrock <phil-RqHDiG/X+WF8uvyFNTHIBg@public.gmane.org>: > >>We''re going to have problems keeping cookies across domains. We want >>people to shop in one domain (e.g. "booksareus.com") and then checkout >>on the same server securely under a different domain (e.g. >>"greatbooks.com"). When we make the jump to the secure domain (the >>checkout link) can we submit the user''s session ID along with it and >>have it ''stick'' somehow so we don''t lose their cart? > > > In an app I''m coding currently, I pass the session ID in the URL, as > query parameters. CGI knows how to extract it from the request > instead of the cookies. I don''t know though if a cookie is then sent > along on the subsequent response. Haven''t checked. >Thanks, this is similar to what we ended up doing. We have a simple little Perl (gasp!) CGI which gets the cookies submitted to it and then it resets them in the new domain. It''s just too messy to try to do it within the Rails framework. It tries to create a new session before we get a chance, a before-filter does a redirect to a login because the session is apparently empty, etc. Despite RFC''s and cookie domain settings, it seems that some browsers (*cough* firefox) still get very picky about when and who to send cookies to. It also is likely that security settings would effect how cookies (and therefore sessions) get passed between domains and protocols (i.e. http vs https). Anyways, here''s a version of our CGI for those who might find it helpful. We call it in the target domain and protocol where it sets the session and our other cookie, then redirects to $URL: #!/usr/bin/perl my $URL="https://secure.xxx.com/checkout/summary"; use CGI; my $cgi = new CGI(); my $sessionid=$cgi->param(''session_id''); my $xxx_zip=$cgi->param(''xxx_zip''); print "Set-Cookie: xxx_zip=".$xxx_zip."; path=/\n"; print "Set-Cookie: _session_id=".$sessionid."; path=/\n"; print "Cache-Control: no-cache\n"; print "Location: $URL\n"; print "Conntection: close\n"; print "Content-Type: text/html; charset=UTF-8\n\n"; print "<html><head><meta http-equiv=\"refresh\" content=\"0;URL=".$URL."\"></head></html>\n";