Authentication with subdomain cookie allows easy access to other subdomains

Question

I am using Rails 3, devise, cancan. I have set the cookies to be subdomain specific and use the subdomain along with the username as authentication keys.

i.e.

devise :authentication_keys => [:username, :subdomain]

So when I authenticate a user in a particular subdomain the user does not have access to any other subdomain. If I just edit his cookie session (firebug) and change the domain of the cookie (i.e. change from foo.mydomain.com to fee.mydomain.com) the user acquires access to the new subdomain.

I realize that I could block access with cancan, but ideally I would like to restrict the user through authentication. It somehow feels a bit more secure and it requires less configuration (a few less lines in ability.rb).

Any idea n how to prevent this dead simple hack?

Answer 1

I ended up doing my own before filter on my controller that checks the subdomain and compares it against the subdomains on which the user is allowed to login.

#application_controller.rb
def check_account_id

    account ||= Account.find(current_user.account_id)

    account.domains.each do |domain|

       if domain.name == request.subdomain
         return true
       end
    end

    flash[:error] = "You must be logged in to access this subdomain" 

    sign_out current_user
    redirect_to new_user_session_path 
end

and in my object controller

#myobjects_contoller.rb

before_filter: check_account_id
before_filter: authenticate_user!
....

Not sure if this the most elegant way but it does work. It would be nice though if there was a way to let devise know about allowed subdomains. Perhaps this is a potential feature request.