Share Session between subdomains, devise authentication Completed 401 Unauthorized

Question

I have 2 ruby rails apps, each has a devise gem for authentication, my goal is to implement simple SSO (single sign-out), using shared sessions.

one of them with public.admin.com and the other with private.admin.com I am using the following configurations :

session_store.rb

Rails.application.config.session_store :cookie_store, key: '_shared_admin_session', domain: '.admin.com', tld_length: 2

config/secrets.yml

I also use the same secret_key_base value in both applications

devise.rb

config.stretches = 1

config.pepper = ''

application.rb

config.action_dispatch.cookies_serializer = :hybrid

I can sign in for one of them and the session is open once I open the other domain Completed 401 Unauthorized is returned and the opend session is closed and sign out from the first domain.

I've tried with using domain: 'admin.com', domain: :all,and ..session_store :redis_store.., but the same result always.

can anyone please help me find the problem, or suggest a better solution, I will be thankful.

Answer 1

I found the problem, it was simple.

the problem was in use 2 different DBs, after unifying admin table things worked fine.

Answer 2

when you want to share session between domains you would want to do is edit your config/initializers/session_store.rb file to look like this:

APPNAMEGOESHERE::Application.config.session_store :cookie_store, :key => '_tourlyapp_session', :domain => "your_domain_name.com"

The trick here is the :domain option. What this does is sets the level of the TLD (top-level domain) and tells Rails how long the domain is. The part you want to watch out for here is that if you set domain: :all like is recommend in some places, it simply won’t work unless you’re using localhost. :all defaults to a TLD length of 1, which means if you’re testing with Pow (myapp.dev) it won’t work either because that is a TLD of length 2.

I hope that this helps you out