Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add support for multi-subdomain session by setting cookie host in ses…

…sion cookie so you can share session between www.example.com, example.com and user.example.com. [#4818 state:resolved]

Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
  • Loading branch information...
commit c4d6245e875bbb276c122a5a401422d341dac4df 1 parent e11bb95
@guillermo guillermo authored dhh committed
View
5 actionpack/CHANGELOG
@@ -1,5 +1,10 @@
+*Rails 3.0.0 [Release Candidate] (unreleased)*
+
+* Add support for multi-subdomain session by setting cookie host in session cookie so you can share session between www.example.com, example.com and user.example.com. #4818 [Guillermo Álvarez]
+
* Removed textilize, textilize_without_paragraph and markdown helpers. [Santiago Pastorino]
+
*Rails 3.0.0 [beta 4] (June 8th, 2010)*
* Remove middleware laziness [José Valim]
View
7 actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
@@ -121,7 +121,12 @@ def call(env)
unless options[:expire_after].nil?
cookie[:expires] = Time.now + options.delete(:expire_after)
end
-
+
+ if options[:domain] == :all
+ top_level_domain = env["HTTP_HOST"].split('.')[-2..-1].join('.')
+ options[:domain] = ".#{top_level_domain}"
+ end
+
request = ActionDispatch::Request.new(env)
set_cookie(request, cookie.merge!(options))
end
View
8 actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -34,6 +34,14 @@ module Session
# integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
# such as 'MD5', 'RIPEMD160', 'SHA256', etc.
#
+ # * <tt>:domain</tt>: Restrict the session cookie to certain domain level.
+ # If you use a schema like www.example.com and wants to share session
+ # with user.example.com set <tt>:domain</tt> to <tt>:all</tt>
+ #
+ # :domain => nil # Does not sets cookie domain. (default)
+ # :domain => :all # Allow the cookie for the top most level
+ # domain and subdomains.
+ #
# To generate a secret key for an existing application, run
# "rake secret" and set the key in config/environment.rb.
#
View
29 actionpack/test/dispatch/session/cookie_store_test.rb
@@ -185,6 +185,35 @@ def test_session_store_with_expire_after
end
end
+ def test_session_store_with_explicit_domain
+ with_test_route_set(:domain => "example.es") do
+ get '/set_session_value'
+ assert_match /domain=example\.es/, headers['Set-Cookie']
+ headers['Set-Cookie']
+ end
+ end
+
+ def test_session_store_without_domain
+ with_test_route_set do
+ get '/set_session_value'
+ assert_no_match /domain\=/, headers['Set-Cookie']
+ end
+ end
+
+ def test_session_store_with_nil_domain
+ with_test_route_set(:domain => nil) do
+ get '/set_session_value'
+ assert_no_match /domain\=/, headers['Set-Cookie']
+ end
+ end
+
+ def test_session_store_with_all_domains
+ with_test_route_set(:domain => :all) do
+ get '/set_session_value'
+ assert_match /domain=\.example\.com/, headers['Set-Cookie']
+ end
+ end
+
private
# Overwrite get to send SessionSecret in env hash

4 comments on commit c4d6245

@splattael

How does this work for .co.uk?

@mitchellh

This appears to not work for ".co.uk" domains. I didn't actually run the test suite against it but just running the code through my head:

env["HTTP_HOST"] = "foo.co.uk"
top_level_domain = env["HTTP_HOST"].split('.')[-2..-1].join('.') # this becomes "co.uk"
options[:domain] = ".#{top_level_domain}"

So the final result is ".co.uk" which is an invalid cookie domain. I don't think there is any clean way to implement this without a blacklist sort of approach (this is how Firefox & Opera validate cookie domains, for example), so I'd recommend we just stick with the manual :domain => ".mydomain.com" approach, which isn't too difficult.

@guillermo

As I said in the lighthouse ticket, this is the simplest aproach, and for 3th level domains, you need to continue using the old approach.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/4818-share-session-between-subdomains#ticket-4818-3

@mitchellh

Ah, I see. I'm okay with that since all my domains are in the ".com" or other single TLD domain. I guess it just concerns me that ":domain => :all" is misleading then for "co.uk" and other users.

Please sign in to comment.
Something went wrong with that request. Please try again.