Access to a cookie is dependent on the domain of the server attempting to read the request — and potentially the domain specified in the cookie. So assuming the domains match (e.g. http://www.example.com and http://www.example.com on both blog and Rails app) either should have access to a cookie set by the other.

If this is not the case (e.g. blog.example.com, http://www.example.com), you’ll need to make sure when the cookie is set in either place, it’s set for the entire domain (e.g. .example.com). But this doesn’t help: while Rails can delete WP’s cookie, and vice-versa, the method for creating (and using) them needs to be mutually understood.

So there’s a twist here, since this is a session cookie; in this case, the cookie (which either app should have access to) is setting a value that is used and interpreted on the server side, where sessions are managed. WordPress and Rails both different methods and look for different cookies.

A solution (idea) would be to have one or the other subsystem catch incoming requests (most likely WP, and probably through some .htaccess RewriteRule, assuming you’re using Apache) and create an intermediate cookie that the other could check that provides sufficient proof that the user has logged in correctly. WP’s PHP for this is pretty good, and easily extended — you just need to create some token that’s a shared secret between the two apps (one of the values in wp-config.php such as LOGGED_IN_KEY might be a good option).

Maybe a solution would be to take the publicly available value from the WP cookie for username, and append the shared secret value and (in both systems) create an MD5 hash to store in a cookie. In this case, Rails’ authentication would subordinate to WP’s, so you would need to make sure Rails knew to delegate things like forgotten password, changed password, etc, to WP’s mechanisms.

Obviously I am thinking aloud, but maybe this is a path to consider.

In any case, this is preferable to having both systems know how to trust the other’s authentication.