Sharing session across rails apps on different subdomains

danilo picture danilo · May 1, 2013 · Viewed 7.8k times · Source

I am trying to implement a single-sign-on solution for multiple rails (v3.2) apps hosted at different subdomains of example.com

One app serves as an identity provider, uses devise for auth, and sits at users.example.com The other apps rely on the identity provider for authentication, use devise+omniauth, with domains of [app1.example.com, app2.example.com, and example.com]. This blog entry inspired much of my implementation: http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/

I have it working fine, but the problem remains that the sessions are not shared so after I log in on the identity provider, I still have to make a call from each of the other apps to authenticate and I need this to be seemless to the user.

I tried using the same secret token at secret_token.rb, same session key at session_store.rb and :domain => :all (also tried '.example.com' and 'example.com' as values). Still no luck.

Doing the above, I see in a session.inspect that after login on the identity provider the session variable "warden.user.user.key" is populated. When I immediately go to the app on app1.example.com, the session.inspect shows the same session_id and _csrf_token but the "warden.user.user.key" variable is now missing.

I feel like I am missing something silly.. Any ideas what that may be?

Answer

aruanoc picture aruanoc · Sep 4, 2013

I think there is another SO question about getting a single cookie to work across subdomains that would answer yours:

https://stackoverflow.com/a/10403338/2573896

Also, I can imagine that using a memcached cluster with dalli and memcached as your session store would work as well:

http://awesomerails.wordpress.com/2011/08/23/rails-3-memcached-session-store/

For the purpose of your application, the first solution makes more sense though.