How to share sessions between apps, having custom login and each app being served through a domain?

[Lisandro]

I have two web2py apps, and I want the user to log in in one app and keep logged in when accessing the second app. The apps are called demo and demo_panel.

Also I'm using a custom login method (that is, custom html with javascript and handling the controller/function). 

In addition, I'm serving each app through a different domain (using routes.py). This part works perfectly.

In this scenario, I'm having trouble to share the session between those two apps. Actually, I have partially achieved all this, except for one problem: when the session expires accordingly to auth.settings.expiration, on Firefox I can't login anymore until I delete the cookies.

So, I'll go for parts with what I have, and if someone sees something ugly or incorrect, I would be really appreciated to point it out :)

First, this is the section of the custom controller function that handles the login. 

It works ok on Firefox, Chrome, mobile, etc. Don't know if it's the correct way to do it, but it works for me:

# ... after received email and password by post vars and checked both are present
usuario = db(db.auth_user.email==request.post_vars.email).select().first()
if not usuario:
    return response.json({'success':False, 'mensaje':'Email incorrecto'}
elif usuario.registration_key:
    return response.json({'success':False, 'Registro pendiente de confirmar'})
else:
    usuario = auth.login_bare(request.post_vars.email, request.post_vars.password)
    if not usuario:
        return response.json({'success':False, 'mensaje':'Datos de ingreso incorrectos'})
    else:
        session.auth.expiration = auth.settings.expiration
        if request.post_vars.remember_me:
            session.auth.expiration = auth.settings.long_expiration
            session.auth.remember_me = True
            response.cookies[response.session_id_name]["expires"] = session.auth.expiration
        return response.json({'success':True})

Accordingly to the book, in order to share sessions between apps, I do this on both app models/db.py:

#both apps connect to the same database
db = DAL(\
 'postgres://%s:%s@%s/%s' %(DB_USER, DB_PASSWORD, DB_HOST, DB_NAME), \
 folder = DATABASES_FOLDER)

# and then connect to session
session.connect(request, response, db=db, masterapp='demo')

In addition, I'm serving each app through a different domain (using routes.py) so apps are served this way:

demo --> served by domain dev.demo

demo_panel --> served by domain panel.dev.demo

From this we can deduce that the browser will handle two cookies, one per domain (I've being inspecting cookies created with Firefox and Chrome, and its that way).

So, it wasn't enought with masterapp='demo'. After loggin in in demo_panel, the sessiong wasn't shared when accesing demo app through dev.demo domain.

I'm not sure about technical backgrounds of this, but I think it's correct, considering that each app is served through a different domain, so the browser handles that as that: different domains. 

However, I had partially resolved the problem, modifing models/db.py like this:

# connecting to session stays the same than before..
session.connect(request, response, db=db, masterapp='demo')

# and these new lines
if response.cookies.has_key(response.session_id_name):
    response.cookies[response.session_id_name]['domain'] = 'dev.demo'

Ok, don't ask me why I added those lines, don't remember how I get there. But that got it working. I can login in panel.dev.demo domain (demo_panel app), and then I can go to dev.demo (demo app) and I'm still logged in.

The only problem is with Firefox when the session expires accordingly to auth.session.expire. 

After that, the first portion of code posted here (the one that handles the custom login) runs ok, no errors, returns success=True, but when the user is redirected to requested uri, is requeste to login again. That is, the user can't login anymore until I delete the browser cookies. This happens only on Firefox.

What could be the problem? Is something bad about my custom login? Or a bug handling sessions in firefox? Thanks in advance!