Losing session in rails 2.3.2 app using subdomain

Question

I have a 2.2.3 app which I upgraded to 2.3.2

It's a multi-site (using subdomain) that creates one top level session for all sites.

This is how I change the domain in production.rb:

ActionController::Base.session_options[:domain] = "example.com"

# in rails 2.2.2, this is what i used to do:
# ActionController::Base.session_options[:session_domain] = "example.com" 

Strange things started to happen after I upgraded I can no longer log in using restful authentication; it does authenticate me, but as soon as I'm redirected, it would ask me to log in again.

As I said, I use restful_authentication and I also use passenger 2.1.2. Can anyone help?

Answer 1

You must indicate:

.example.com

(notice the leading dot) in order for the session cookie to apply to example.com as well as its sub-domains.

Answer 2

Olly's answer is correct, in rails 2.3 it should be:

config.action_controller.session[:domain] = '.example.com'

I just wanted to add that if you don't already have some session options created you may receive this when using that:

undefined method `[]=' for nil:NilClass

In that case you should use this instead (which creates the session variable instead of updating it):

config.action_controller.session ||= {}
config.action_controller.session[:domain] = '.example.com'

Edit: apparently Rails 2.2.2 projects use something different. "domain" should be named "session_domain" and take the period character off the front of the domain. Try this:

config.action_controller.session ||= {}
config.action_controller.session[:session_domain] = 'example.com'

Answer 3

It could be added in the same place where you set the session key and secret

config.action_controller.session = {
      :key => '_app_session',
      :domain => '.domain.com',
      :secret => 'secret'
}

Answer 4

I'm also running 2.3.5 and encountering similar issues to @alfred-nerstu

No error messages with the patch from @schickm but it doesn't seem to take, either.

Answer 5

A more bullet proof solution would be to check if the session already exists or not. If you are blindly replacing the whole session object it may trip you up in the future.

if ActionController::Base.session
  ActionController::Base.session[:domain] = '.example.com'
else
  ActionController::Base.session = { :domain => '.example.com' }
end

I like to do this in an initializer file.

Answer 6

I'm running Rails 2.3.5 and have

config.action_controller.session = {:domain => '.localhost:3000'}

in my development.rb but I don't get it to work?

Something else you need to do?

Answer 7

Just wanted to mention that another way to handle the whole subdomain thing for the cookies is dynamically. Works in 2.3.4.

Something like this in the environment.rb

# solution to use the cookies in the api. domains
# this is relevant but in 2.3.4 the code is different
# http://szeryf.wordpress.com/2008/01/21/cookie-handling-in-multi-domain-applications-in-ruby-on-rails/
# Just making sure that api. shares the domain name
require 'dispatcher'
module ActionController
  class Dispatcher
    def set_session_domain
      host_name = @env['SERVER_NAME']
      new_host_name = whatever #some mod of the host_name, for instance
      ActionController::Base.session = {
        :domain => new_host_name
      }
    end

    before_dispatch :set_session_domain
  end
end

Answer 8

In Rails 2.3 you should use

config.action_controller.session[:domain] = '.example.com'

Answer 9

we had the same problem (losing sessions, without subdomain), with nginx + thin. Migrating to apache + passenger (last version) fixed the problem.

Answer 10

I had the same problem with cookie-based sessions. Upgrading to Passenger 2.1.3 seemed to fix the issue.