Share Devise session cookie between two Rails apps of different versions

1
votes

I'm trying to share a Devise session cookie for authentication purposes between two Rails apps on the same TLD but living on different subdomains. One app is v4.2.11.1, and the other is v6.0.3.2. I want to login on the Rails 4 app, and access the authenticated user info in the Rails 6 app. The session cookie is set fine when logging in on the Rails 4 app, but it seems to get completely wiped out/reset when trying to access it in the Rails 6 app.

  • The session store cookie domain is set correctly for both apps, e.g. .example.com.
  • The session store tld_length is set to 2 in both apps.
  • The cookies serializer is set to :marshal in both apps.
  • I'm using the same secret_key_base in both apps. In the Rails 4 app, it is set via the ENV['SECRET_KEY_BASE'] env var. In the Rails 6 app, it's set via Rails credentials, e.g. config/credentials/<env>.yml.enc.
  • Devise.secret_key is the same in both apps.
  • I'm using the same Devise gem version and initializers in both apps.
1
ruby-on-railsrubydevise

1 Answers

2
votes

There might be other things going on in your specific case, but it is worth nothing that there have been two backward-incompatible changes to session cookies since Rails 4 that you'll need to look at.

  1. There was a change in Rails 5.2 to embed expiry information into encrypted cookies. From the upgrade guide:

To improve security, Rails now embeds the expiry information also in encrypted or signed cookies value.

This new embed information make those cookies incompatible with versions of Rails older than 5.2.

If you require your cookies to be read by 5.1 and older, or you are still validating your 5.2 deploy and want to allow you to rollback set Rails.application.config.action_dispatch.use_authenticated_cookie_encryption to false.

  1. Rails 6.0 has a change to embed purpose in encrypted cookies. From the upgrade guide:

To improve security, Rails embeds the purpose information in encrypted or signed cookies value. Rails can then thwart attacks that attempt to copy the signed/encrypted value of a cookie and use it as the value of another cookie.

This new embed information make those cookies incompatible with versions of Rails older than 6.0.

If you require your cookies to be read by Rails 5.2 and older, or you are still validating your 6.0 deploy and want to be able to rollback set Rails.application.config.action_dispatch.use_cookies_with_metadata to false.