All threads / Sharing Cookies with Subdomains in Rails Discussion
Ask A Question

Notifications

You’re not receiving notifications from this thread.

Sharing Cookies with Subdomains in Rails Discussion

Would it be possible for you to add subtitles in Portuguese or English? I am Brazilian, I can understand English subtitles. If you can in English it helps a lot.

Is there a strategy for sharing a login session between two different domains?

That's what we covered in this episode?

As I understand it, the episode covered sharing credentials between subdomains of the same domain. For example, foo.example.com & bar.example.com

Is there a way of sharing credentials between foo.com and bar.com ?

No. Cookies are bound to the same TLD.

Would this work for authenticating from non Rails app on a subdomain? For example if we have a Rails app hosted at foo.com, and then a Next.js app on bar.foo.com, could the Rails app authenticate API requests coming from bar.foo.com using the session cookie?

Yep! Just make sure the cookie gets included in the request and that's it. 👍

So i'm using Devise for authentication and i've got everything working for signing up and signing in, but i need some help with signing out.

There's a 'home' controller and view that is the landing page for unauthenticated users at 'lvh.me:3000' and then there's a 'dashboards' controller and view that becomes the root path for a user who is signed in. They sign in, hit a before_action in my ApplicationController, get redirected to 'test.lvh.me:3000' where 'test' is the subdomain for the account, and see the dashboard page.

Here's my before_action to redirect once they're logged in:

def redirect_to_subdomain
    return unless user_signed_in?
    if request.subdomain.blank?
        if current_user.accounts.exists?
            redirect_to root_url(subdomain: current_user.accounts.first.subdomain)
        end
    else
        unless current_user.accounts.pluck(:subdomain).include?(request.subdomain)
            redirect_to root_url(subdomain: current_user.accounts.first.subdomain)
        end
    end
end

When they sign out, I want them to have their session destroyed (obviously) and then have them sent back to 'lvh.me:3000'. Currently, they sign out, the session gets destroyed (i can see the button text change and the account name disappear from the nav), but the URL remains 'test.lvh.me:3000'. I see that Devise's default sign out path helper is:

  def after_sign_out_path_for(resource_or_scope)
    scope = Devise::Mapping.find_scope!(resource_or_scope)
    router_name = Devise.mappings[scope].router_name
    context = router_name ? send(router_name) : self
    context.respond_to?(:root_path) ? context.root_path : "/"
  end

Is there some way to override this? My assumption here is that because Devise uses root_path instead of root_url, it's not taking the subdomain off of the route. Any thoughts on how to achieve what I want?

Aha! I fixed this by overriding this method in my ApplicationController with the following:

def after_sign_out_path_for(resource_or_scope)
    scope = Devise::Mapping.find_scope!(resource_or_scope)
    router_name = Devise.mappings[scope].router_name
    context = router_name ? send(router_name) : self
    context.respond_to?(:root_url) ? context.root_url(:host => request.domain) : "/"
end

Note the root_url(:host => request.domain) piece. Apparently root_url(:subdomain => false) doesn't exist. Find more discussion here: https://github.com/rails/rails/issues/2025

Would this work in the reverse situation? Where the Rails app is on a subdomain and the primary domain is pointing to a frontend app?

Cookies are shared between them all, so yes it would.

Looks great!

Any tips how to make subdomains work with ActionCable?

I got an error on subdomains:

Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "connect-src 'self'

Is there any way to share session information between subdomains when the session_store is set to :redis_session_store

My rails app works on subdomains like
mother.lvh.com
friend.lvh.com
brother.lvh.com

Each of these subdomains are considered as separate groups which has their own users. Users from one subdomain cannot login into another subdomain.
since domain: :all share the cookie in every sub domain.
Is there any way to set cookie so that one user's cookie from his subdomain (for eg friend.lvh.com) cannot be shared to different subdomains ?
each subdomain's user has their own cookies

Suppose
User 1 from mother.lvh.com should have value 'mother.lvh.com' in the domain of the cookie
User 2 from friend.lvh.com should have value 'friend.lvh.com' in the domain of the cookie

Can you help me on this??

Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 68,326+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Screencast tutorials to help you learn Ruby on Rails, Javascript, Hotwire, Turbo, Stimulus.js, PostgreSQL, MySQL, Ubuntu, and more. Icons by Icons8

    © 2022 GoRails, LLC. All rights reserved.