分享跨子域登录会话中Rails 3的正确方法？ [英] Correct way to share login sessions across subdomains in Rails 3?

问题描述

我的一切。这个在互联网上找到的信息说，使用类似

All the info I've found on the internet about this says to use something like

Login::Application.config.session_store :cookie_store, :key => '_login_session', :domain => '.domain.com'

和使用所有我想分享这届会议的子域相同的密钥。当我这样做，认证不被子域之间传递。事实上，当我访问任何所谓共享会话，初始会话被覆盖

And use the same key for all the subdomains that I want to share that session. When I do this, the authentication is not being passed between subdomains. In fact, when I visit any of the supposedly shared sessions, the initial session gets overwritten

即。在login.domain.com，我跑的认证，它返回的用户名和会话USER_ID。然后我去sub.domain.com，它应该返回相同的信息作为login.domain.com，但没有。在此之后，我回去login.domain.com和我不再验证那边。

i.e. on login.domain.com, I run the authentication, which returns the user name and session user_id. I then go to sub.domain.com, which should return the same info as login.domain.com, but does not. Following this, I go back to login.domain.com and I am no longer authenticated there, either.

在sub.domain.com的session_store.rb文件如下：

On sub.domain.com, the session_store.rb file looks like:

Something::Application.config.session_store :cookie_store, :key => '_login_session', :domain => '.domain.com'

我用：一切为：域名价值，以及与相同的结果。如果我删除：域上述设置，则初始会话不会被覆盖，但它也没有得到共享

I have used :all for the :domain value, as well, with the same outcome. And if I remove the :domain setting on the above, then the initial session does not get overwritten, but it also does not get shared.

当我看看Cookie的编辑器为Firefox的饼干，子域都使用相同的cookie名，但验证不被共享。这是一个pretty基本用户表，我使用OpenID和OAuth与Omniauth进行认证

When I look at the cookies in Cookie Editor for Firefox, both subdomains are using the same cookie name, but the authentication is not being shared. It's a pretty basic Users table, and I am using OpenID and OAuth to perform authentication with Omniauth

推荐答案

的更新：的建议的解决方案是不是难看毕竟，广告交换和DSP / SSP的使用相同的技术来交换访问者的会话ID，使他们能够更好地定位与广告的访问者（下一次该访问者在其网络中再次弹出）

update: the suggested solution is not that ugly after all, ad-exchanges and DSPs/SSPs use the same technique to exchange a visitor's session ID so they can better target the visitor with ads (the next time that visitor pops up in their network again)

如果你能绕过浏览器跨域屏障，你可以做到这一点。例如，JSONP专门构建用于此目的。是的，会话信息总是集中存储，否则，如果你用曲折的会话ID的请求，你怎么能检查它是否有效？

If you can circumvent the browser cross-domain barrier, you can do it. For example, JSONP is specifically built for this purpose. And yes, session info is always stored centrally, otherwise if you get a request with a session ID of "zigzag", how can you check if it is valid?

那些网站上login.domain.com进行身份验证可能会使用Ajax代理，或使用其他方法通过跨域问题就搞定了。

"Those" sites that authenticate on login.domain.com might use an ajax proxy, or use other method to get through the cross-domain problem.

最古老的绝招是建立在你的应用程序中的钩子，看起来像一个形象，因为图像可以从任何地方加载。

The oldest "trick" is to create a hook in your application that looks like an image, as images can be loaded from everywhere.

例如，有关的 login.domain.com 的你验证用户，发送到服务器和背部采用了反应，一个cookie将在 login.domain.com <存储/ em>的与会话ID（存储在服务器中为好）。然后 - 从Javascript - 你得到一个图像，附加的，如 HTTP会话ID： //any.domain.com/path/image.jpg?sessionID=abcd - >在响应中发回的任何cookie将根据<存储EM> any.domain.com 的

For example, on login.domain.com you authenticate the user, sent to the server and back with a response, and a cookie will be stored under login.domain.com with the session ID (which is stored in the server as well). Then - from Javascript - you GET an image, with the session ID attached, like http://any.domain.com/path/image.jpg?sessionID=abcd -> any cookies sent back in the response will be stored under any.domain.com

另一种解决方案<击> - 这是为previous丑 - 是使用一个隐藏的iframe打电话any.domain.com（当一个成功的认证情况），该请求将返回一个响应，它的饼干将any.domain.com域下写的。

Another solution - which is as ugly as the previous - is to use a hidden iframe to call to any.domain.com (when a successful authentication happens), that request will return a response, and its cookies will be written under the any.domain.com domain.

如果您有子域名的众人，也可以复杂化你的架构了一下，我强烈建议你创建一个代理，并使其可对同一IP地址每一个子域。那么不管在用户进入时，认证处理将始终是相同的，对于每个子域。

If you have a multitudes of subdomains, and you can complicate your architecture a bit, I highly advise that you create a proxy, and make it available to every subdomain on the same IP address. Then no matter where the user comes in, the authentication process will always be the same, for every subdomain.

这篇关于分享跨子域登录会话中Rails 3的正确方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！