1

I have 2 ruby rails apps, each has a devise gem for authentication, my goal is to implement simple SSO (single sign-out), using shared sessions.

one of them with public.admin.com and the other with private.admin.com I am using the following configurations :

session_store.rb

Rails.application.config.session_store :cookie_store, key: '_shared_admin_session', domain: '.admin.com', tld_length: 2

config/secrets.yml

I also use the same secret_key_base value in both applications

devise.rb

config.stretches = 1

config.pepper = ''

application.rb

config.action_dispatch.cookies_serializer = :hybrid

I can sign in for one of them and the session is open once I open the other domain Completed 401 Unauthorized is returned and the opend session is closed and sign out from the first domain.

I've tried with using domain: 'admin.com', domain: :all,and ..session_store :redis_store.., but the same result always.

can anyone please help me find the problem, or suggest a better solution, I will be thankful.

MZaragoza
  • 10,108
  • 9
  • 71
  • 116
eftikhar
  • 119
  • 9

2 Answers2

2

when you want to share session between domains you would want to do is edit your config/initializers/session_store.rb file to look like this:

APPNAMEGOESHERE::Application.config.session_store :cookie_store, :key => '_tourlyapp_session', :domain => "your_domain_name.com"

The trick here is the :domain option. What this does is sets the level of the TLD (top-level domain) and tells Rails how long the domain is. The part you want to watch out for here is that if you set domain: :all like is recommend in some places, it simply won’t work unless you’re using localhost. :all defaults to a TLD length of 1, which means if you’re testing with Pow (myapp.dev) it won’t work either because that is a TLD of length 2.

I hope that this helps you out

MZaragoza
  • 10,108
  • 9
  • 71
  • 116
  • 1
    thank you for replaying, when I open browser cookies I can see the cookie with key `_shared_admin_session ` is mapped to domain `.admin.com ` for both domains tabs so, I am really not sure if the session is really shared for( reading/ and writing) on it – eftikhar Jan 03 '18 at 18:55
  • you can test it with `lvh.me:3000` and `admins.lvh.me:3000` see if its working properly for you – MZaragoza Jan 03 '18 at 18:56
  • 1
    is it normal to recieve 401 Unauthorized, rails server logger `Can't verify CSRF token authenticity` – eftikhar Jan 03 '18 at 19:15
  • Can anyone please answer @Eftikhar as I have the same problem – Vaibhav Maheshwari Oct 15 '18 at 14:26
  • Hello mr.maheshwsri you can check the note I added as answer, make sure that the users read from same db:table – eftikhar Oct 16 '18 at 18:10
  • Yes!! Thank you @MZaragoza I spent the last few hours trying to debug my own application on production. If somebody else reads this, perhaps it would help to give some details: -I am building an app that can have an unlimited number of subdomains. In development, I had my session_store config with `domain: :all` and am using Pow - it works fine locally. On pushing to production on a Heroku site, posting any form (though in my particular case, a User Registration Devise Form) would result in `Can't verify CSRF token`. Setting my domain to be `domain: "my-app.herokuapp.com"` fixed it! – BoyanLevchev Dec 25 '20 at 22:50
0

I found the problem, it was simple.

the problem was in use 2 different DBs, after unifying admin table things worked fine.

eftikhar
  • 119
  • 9