Let’s say I have an application that’s going to be accessed from completely different domains that all point at the same server*:

example.com, example.net, foobar.com, …

I have a Devise based authentication system that’s worked fine before. However, the goal is now to add HTTPS to the sign in system. The problem is, as it turns out, there is no way to host more than one HTTPS website on the same IP address**. To resolve this problem, I set up the login pages to always POST to https://secure.example.com. As far as I can tell, this is working fine. Devise seems to have no qualm with it. However, the tricky part is that the user now needs to be redirected to foobar.com, which also needs to understand that the user is logged in. I pass the site to return to in a hidden parameter in the login form, and the redirection works fine. I still have no way to inform foobar.com that the user is now logged in.

I’ve managed to set it up so that, upon being returned to foobar.com, it copies the user’s session cookie for secure.example.com into a new cookie for foobar.com. This part is working fine. However, in the Rails console, the web requests for secure.example.com and foobar.com – with the same cookie sent for each – produce two completely different sessions and therefore, it’s no wonder Devise acts like the user was never logged in to foobar.com

Does anyone know why this wouldn’t work – why two identical web requests (only the domain of the request URI was different – I tried it in Firebug, too) would produce two completely different sessions in a Rails 3 app with different, yet consistent, session ids? More to the point, does anyone know how to MAKE this work?

* assume, for the purposes of this exercise, that this is unavoidable and the sites cannot be hosted all under different subdomains, and that the number of domains required is too great to get a separate IP address for each.

** unless they’re subdomains and you have an *.example.com cert, but that’s beside the point.