How to handle session domains in a cname forward supporting rails saas software

Question

Hi,

I have read

• http://stackoverflow.com/questions/975877/how-to-give-cname-forward-support-to-saas-
• http://stackoverflow.com/questions/377137/rails-multiple-top-level-domains-and-a-single-session-cookie

But I am unable to get a solution for the following setup:

• A SaaS Webapp in Rails is running under example.com
• All users have a sumbdomain e.g. user1.example.com
• Users can create a cname forwarding eg. exampleapp.user1.com -> user1.example.com

It is all working until a user tries to log in via exampleapp.user1.com. The SaaS app fails to set the session domain right, because it is configured static on app startup.

config.action_controller.session = {
  :session_key => '_example_session',
  :domain => ".example.com",
  :secret      => 'abc'
}

The Request fails with a ActionController::InvalidAuthenticityToken. And that is correct, because the domain changed from .example.com to exampleapp.user1.com.

How do I change the domain config during runtime? I know that the "incoming" domain exampleapp.user1.com belongs to user1, so I want to do something like that in the controller:

session :domain => 'exampleapp.user1.com'

Or can I always set the session domain on the current request domain? I know that it's possible somehow, because some apps provide that functionality.

Thanks in advance!

Answer 1

Just don't set the domain, since apparently you don't need to share a session cookie across example.com and user1.example.com. By not specifying a domain, the default cookie behavior is just to be set for the current request domain.