Posted a previous question on this, but have a followup. I was trying to create a workaround to use SSL on the expensive custom domain. I'm willing to live with bumping a user to https://app.heroku.com from http://www.app.com for certain secure pages, and have monkey-patched SSL required to make this happen. However, now this issue is with making sure my User is logged in when I do so. As I understand, cookies aren't cross domain. Is there a way around this issue?
Was dealing with this issue right now - no, session isn't passed, you can do some hacking with iframes etc, but then you'll get security warning that not everything on the page is secured...
You can't pass anything cross domain if you want to maintain it secured...
The only way I found is to pass custom made authenticity_token in the url + user_id of the https page (you can do just md5("#{user.id} The Secret")
) and check if you get the same result on the https page...
Not too complicated to do, but a little ugly...
In my case it's a payment page, so I don't really care if the user logged in, because if someone hacks it - he will just end up paying for someone else :)
Well, you can try http://www.chrisbaglieri.com/2010/01/01/heroku-hacks-ssl.html and see if it fits your need. It is not a perfect solution but it is secure up to a certain level. If you are using different authentication, you may need to implement it yourself.