Home/ Questions/Q 4008156
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T08:43:10+00:00

All the info I’ve found on the internet about this says to use something

  • 0

All the info I’ve found on the internet about this says to use something like

Login::Application.config.session_store :cookie_store, :key => '_login_session', :domain => '.domain.com'

And use the same key for all the subdomains that I want to share that session. When I do this, the authentication is not being passed between subdomains. In fact, when I visit any of the supposedly shared sessions, the initial session gets overwritten

i.e. on login.domain.com, I run the authentication, which returns the user name and session user_id. I then go to sub.domain.com, which should return the same info as login.domain.com, but does not. Following this, I go back to login.domain.com and I am no longer authenticated there, either.

On sub.domain.com, the session_store.rb file looks like:

Something::Application.config.session_store :cookie_store, :key => '_login_session', :domain => '.domain.com'

I have used :all for the :domain value, as well, with the same outcome. And if I remove the :domain setting on the above, then the initial session does not get overwritten, but it also does not get shared.

When I look at the cookies in Cookie Editor for Firefox, both subdomains are using the same cookie name, but the authentication is not being shared. It’s a pretty basic Users table, and I am using OpenID and OAuth to perform authentication with Omniauth

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    update: the suggested solution is not that ugly after all, ad-exchanges and DSPs/SSPs use the same technique to exchange a visitor’s session ID so they can better target the visitor with ads (the next time that visitor pops up in their network again)

    If you can circumvent the browser cross-domain barrier, you can do it. For example, JSONP is specifically built for this purpose. And yes, session info is always stored centrally, otherwise if you get a request with a session ID of “zigzag”, how can you check if it is valid?

    “Those” sites that authenticate on login.domain.com might use an ajax proxy, or use other method to get through the cross-domain problem.

    The oldest “trick” is to create a hook in your application that looks like an image, as images can be loaded from everywhere.

    For example, on login.domain.com you authenticate the user, sent to the server and back with a response, and a cookie will be stored under login.domain.com with the session ID (which is stored in the server as well). Then – from Javascript – you GET an image, with the session ID attached, like http://any.domain.com/path/image.jpg?sessionID=abcd -> any cookies sent back in the response will be stored under any.domain.com

    Another solution – which is as ugly as the previous – is to use a hidden iframe to call to any.domain.com (when a successful authentication happens), that request will return a response, and its cookies will be written under the any.domain.com domain.

    If you have a multitudes of subdomains, and you can complicate your architecture a bit, I highly advise that you create a proxy, and make it available to every subdomain on the same IP address. Then no matter where the user comes in, the authentication process will always be the same, for every subdomain.

    • 0