Skip to content

Instantly share code, notes, and snippets.

@lukebooth

lukebooth/explanation.md

Last active February 3, 2016 15:35
Show Gist options
  • Save lukebooth/0224c2c939620375741c to your computer and use it in GitHub Desktop.
Save lukebooth/0224c2c939620375741c to your computer and use it in GitHub Desktop.
Download ZIP
Session hijack ourselves
Raw
explanation.md

The situation

  • Using Rails 4.1.8
  • People can have a custom domain to use with our app
  • For some actions, we use ssl and redirect them to the domain we provide them

The problem

  • If the person has a custom domain, I want as much of their time using the app to be on that domain
  • I need a way to carry sessions/cookies over to another domain
  • This, for example, will allow them to use ssl to sign in on our domain and I can redirect them back to their custom domain, signed in there

Attempts

  • Using session-injector gem
  • I think more current versions of Rails have made what session-injector does restricted because of security concerns

Solution, but not a great one™

  • Use Devise's after_sign_in_path_for to make the custom domain the host and create an auth token that is attached as a param (quick expiration period)
  • Have a before filter that checks for the token param and logs in the associated user if there is one

Problems with Solution, but not a great one™

  • This logs the user in on both domains, the one we provide and their custom one
  • Logging out does what you'd expect
  • Logging back in redirects to our provided domain (ssl) which they are still logged into...

I'm looking for a way to get this done via a way similar to how session-injector does it. Keeping the logic at a lower level.

@Sacristan
Copy link

Im trying to do the same, but with no reliable results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment