Devise not working well with multiple subdomains on RoR3 application

9
votes

I have seen a lot of questions about this topic, but a lot of them have contradictory information, and for some reason it didnt work for me.

I have:

a top level domain: i.e. lvh.me (development). each user has subdomains: i.e. userdomain.lvh.me The login form is in the top level domain: lvh.me

I want:

  • If an user logs in, the session needs to be shared between all the subdomains. I mean, the session needs to be active in lvh.me:3000/something and userdomain.lvh.me:3000
  • If an user logs out from lvh.me:3000/something it should work, and if the user logs out from userdomain.lvh.me:3000 it should work also.

I tried

  • Setting in an initializer the following:

    MyApplication::Application.config.session_store :cookie_store, :key => '_mykey', :domain => :all

What happened?

I can login in lvh.me:3000, I am correctly redirected to lvh.me:3000/internalpage and if I go to subdomain.lvh.me:3000 it works great. I can also logout from lvh.me:3000/internalpage BUT if I try to logout from subdomain.lvh.me:3000 it doesn't work. The destroy action in Devise SessionsController is executed and everything, but the session doesn't die.

According to http://excid3.com/blog/sharing-a-devise-user-session-across-subdomains-with-rails-3/,

The trick here is the :domain option. What this does is sets the level of the TLD (top level domain) and tells Rails how long the domain is. The part you want to watch out for here is that if you set :domain => :all like is recommend in some places, it simply won’t work unless you’re using localhost. :all defaults to a TLD length of 1, which means if you’re testing with Pow (myapp.dev) it won’t work either because that is a TLD of length 2.

So, after reading that I also tried

MyApplication::Application.config.session_store :cookie_store, :key => '_mykey', :domain => 'lvh.me'

What happened? I can login in lvh.me:3000, I am correctly redirected to lvh.me:3000/internalpage and if I go to subdomain.lvh.me:3000 it doesn't work, i have no session there. If I go back to lvh.me:3000/internalpage my session has disappeared. What happened there?

What else?

Then, after reading rails 3.2 subdomains and devise I changed my initializer line to 

MyApplication::Application.config.session_store :cookie_store, :key => '_mykey', :domain => '.lvh.me'

Note the "." before the domain name. According to the post in SO:

This allows this cookie to be accessible across subdomains and the application should maintain it's session across subdomains. May not be 100% what you are looking for but it should get you going in the right direction.

What happened? Nothing, it didn't work. Same behavior if compared with the last thing I tried.

I finally tried What does Rails 3 session_store domain :all really do? , creating a custom class to handle the cookies. But I had no luck.

Of course that I deleted all the cookies and temp files before each attempt. Also I changed the name of the cookie. Any help? Thanks!

2
rubyruby-on-rails-3cookiesdevise
Not really an answer, but you might give using a different session_store than the cookie based one a try.Thomas Klemm

2 Answers

10
votes

According to this guy here: Rails: how can I share permanent cookies across multiple subdomains? You need to set the domain manually? Googling around it looks like '.domainname.com' with the dot at the beginning really is the way to go.

If you inherit from Devise::SessionsController you can manually set it on create

class SessionsController < Devise::SessionsController
  def create
    # modify the cookie here
    super
  end
end

I am setting up a working example to test that out, I'll post back afterwards, cheers!

And here is my Edit

Forget tempering with the token on create. The problematic is this, you need to have the token domain set to '.lvh.me' that's all there is to it, but domain: '.lvh.me' just doesn't do anything. Here is my proof of concept and ultimately it boiled down to a single change inside a controller:

class HomeController < ApplicationController
  def index
    cookies[:_cookietest_session] = {domain: '.lvh.me'}
  end
end

In Chrome the token would look like this

enter image description here

And that for subdomain.lvh.me, lvh.me and any other subdomain I tried. I can sign_in/sign_out from any and the session is created/destroyed accordingly.

Now I wouldn't advise doing it the way I did, I liked the middleware approach I think it would work just fine if setup properly. Let me know if you need further help on this.

Cheers!

Ok last thing

I went back and tried domain: :all because it really ought to work as you have expected. If I access lvh.me I get a cookie with .lvh.me but if I got to subdomain.lvh.me I get one that reads .subdomain.lvh.me

enter image description here

0
votes

I think the issue is that :all adds a . to the subdomain.lvh.me so you would stay logged in with foo.subdomain.lvh.me which doesn't do you much good.

:all seems to work if your original login is from the root domain lvh.me and you then redirect to a subdomain. but you can't log in through a subdomain with it set that way.

MyApplication::Application.config.session_store :cookie_store, :key => '_mykey', :domain => '.lvh.me'

looks like the correct way to specify this.

Note:

  • Make sure you restart rails after making change.
  • Make sure you clear cookies out for your domain before testing again. You can leave remnant cookies behind that are confusing between tests.