Change Rails session cookie domain without logging users out

Question

I'm using Rails 4.2.2 (with Devise 3.4.1) and am changing the cookie_store domain from www.boundless.dev to .boundless.dev in order to share the same session across all of our subdomains (single sign-on).

Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: '.boundless.dev'

If I make this change alone. Existing logged-in users who return to the site will end up with 2 _boundless_session cookies, one with domain boundless.dev and the other with www.boundless.dev. Somehow this makes logging out impossible.

Is it possible to make this change without logging all users out of the site?

I thought that I'd be able to write a method as a before_filter in my ApplicationController to delete the session cookie and replace it with a new one at .boundless.dev, but it doesn't work, and I suspect it has something to do with the remember_user_token cookie.

def update_session_cookie_domain
  session_cookie = cookies['_boundless_session']
  cookies.delete('_boundless_session', domain: 'www.boundless.dev')
  cookies['_boundless_session'] = {
    value: session_cookie,
    domain: '.boundless.dev'
  }
end

Answer 1

I was able to solve this problem by changing the cookie name used for the session.

So the original config was:

Boundless::Application.config.session_store :cookie_store, key: '_boundless_session', domain: 'www.boundless.dev'

And I changed it to:

Boundless::Application.config.session_store :cookie_store, key: '_boundless_session_NEW', domain: '.boundless.dev'

I expected this to log users out, but it doesn't for some reason that I don't quite understand.

Unfortunately, I've yet to find a way to clear the old _boundless_session cookie, but at least now I can log out after having my session cookie updated to the more general domain.