Reputation: 317
Wildcard subdomain cookies ignored in some browsers. Rails 3.2 app on Heroku
I have a rails 3.2 app on Heroku using Devise.
Starting after a deploy yesterday, the session_id quit being stored on some browsers.
After a debugging marathon, we discovered that our cookies were being set up like this:
Application.config.session_store :cookie_store, :domain => :all
This was sending the set cookie header with a domain of .herokuapp.com, allowing us to visit our development, staging, etc.
This code has been working for > 1 year. Yesterday, after a deploy, the bug arose.
The fix was setting the domain explicitly, using the actual subdomain in the cookie domain:
Application.config.session_store :cookie_store, :domain => 'example.herokuapp.com'
While this "fixed" the problem, I have not figured out why this cookie was being ignored by some browsers, but not others. They should all allow wildcard subdomain cookies AFAIK.
Please help me understand this issue.
Upvotes: 2
Views: 1147
Answers (1)
Reputation: 317
On May 14, 2013, herokuapp.com was added to the Mozilla Foundation’s Public Suffix List. This list is used in several browsers (Firefox, Chrome, Opera) to limit how broadly a cookie may be scoped.
Source: https://devcenter.heroku.com/articles/cookies-and-herokuapp-com
Upvotes: 6
Related Questions
- Rails 3, no local session cookie with :domain => :all
- Rails 5, Apartment and Devise: sign in with subdomains are not working
- Devise not working well with multiple subdomains on RoR3 application
- Subdomain Session Not Working in Rails 2.3 and Rails 3 on Heroku with/without a Custom Domain?
- rails 3 sessions across subdomains not working in Internet Explorer
- RAILS/DEVISE - Setting a devise cookie to persist across different subdomains
- Subdomain cookie sharing in Rails 3 is not working (on Heroku)?
- Authentication with subdomain cookie allows easy access to other subdomains
- Rails 3: Can't seem to write cookies for top level domain :(
- Ruby on Rails 2.1 Subdomain-Cookie issues