Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

cross domain cookies Rails 3

I wonder is it possible to get cookies under another domain rather than my current app domain name?

I am building an application which access to another website's api. If the user has already logged in from the other site, my browser will create a cookies under that domain name. For example, user logged in under www.example.com, my browser will store a cookies: cookies['token'] under www.example.com domain. When user visit my website, www.mywebsite.com, how can I get the cookies under www.example.com in my rails server?

Any help is highly appreciate.

like image 556
Someth Victory Avatar asked Jun 11 '12 06:06

Someth Victory


2 Answers

This can be done, but it requires the client, your website, and your other website to all work together. You have a client that knows how to authenticate to site A. It wishes to view site B as the user it knows how to authenticate against site A with. The basic way to accomplish this is to have the client contact site A, authenticate itself, acquire a token from site A that site B can trust, and then hand that token to site B.

Effectively, you want to build a very specific case of OpenID or OAuth. This is certainly possible, but you're going to need to make some changes to www.example.com in order for it to play along. If you're able to do this, great.

Start by reading everything about OAuth. You don't need to use that exactly (although you could), but it will help explain what you need to do: http://hueniverse.com/oauth/

like image 165
Brandon Yarbrough Avatar answered Sep 22 '22 14:09

Brandon Yarbrough


You can share cookies across different subdomains of a domain but you CANNOT share cookies across multiple domain names.

Cookies are stored by the BROWSER and the browser will not allow you to access or store cookies from external domain names. It would be a huge security flaw if browsers did allow you to do this.

You can, however, share session data that is stored on your server between domain names. This may not be completely trivial, but since session information is stored on the SERVER, you can access the information on the server between apps if needed. If your session data is stored in a database, then all that is required is to give database access to both domains. If need be, you could actually open your database to an external domain name and have the external domain directly connect to the database on your server.

like image 43
Michael Frederick Avatar answered Sep 22 '22 14:09

Michael Frederick