Prevent session from being shared across subdomains

758 views

Skip to first unread message

Tom Hunter

unread,

Aug 26, 2014, 7:07:41 PM8/26/14

to plataforma...@googlegroups.com

Hi,

Is there a way to prevent Devise sessions from being shared across subdomains in IE? I have an app with several subdomains such as:

dev.example.com

staging.example.com

www.example.com

In all other browsers but IE, sessions are not shared across these 3 subdomains. However, when using Internet Explorer sessions will persist across dev, staging & production subdomains if the same user record is present in the different databases. Using devise (3.2.4) with the following session configs:

Example::Application.config.session_store :cookie_store, key: '_example_session'

I have tried all sorts of combinations to scope the cookie to the subdomain such as:

domain: 'example.com'

domain: '.example.com'

setting tld_length to various sizes, etc.

But I just cannot get the sessions to stop being shared across subdomains in IE. What gives? Anyone have any insight into this?

Thanks in advance!

- Tom

Jason Fleetwood-Boldt

unread,

Aug 26, 2014, 9:25:32 PM8/26/14

to plataforma...@googlegroups.com

Tom-

did you try setting the :domain option explicitly on your session_store configuration ? I think what may be going on for you is that if you don't specify the domain, it will default to "example.com" which IE sees as ".example.com" and then applies to all your subdomains.

You also said "I have tried all sorts of combinations to scope the cookie to the subdomain such as" but your two examples (example.com and .example.com) will actually make that cookie apply to all subdomains. Did you try it with explicitly with the subdomain:

domain: "staging.example.com"

I think perhaps these will help you out --- looks like the second one has an option to do this relatively automatically. Only trick is, you can't actually operate the website at example.com or else you'll get the same overloading of the cookie problem -- you will be forced to use one of the subdomains.

http://stackoverflow.com/questions/10402777/share-session-cookies-between-subdomains-in-rails

http://stackoverflow.com/questions/4060333/what-does-rails-3-session-store-domain-all-really-do

-Jason

--

---
You received this message because you are subscribed to the Google Groups "Devise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to plataformatec-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages