切换到新域名时保留用户会话（Ruby on Rails） [英] Persisting user sessions when switching to a new domain name (Ruby on Rails)

问题描述

我的Rails应用目前可在 example.org 上使用，但我要切换到 example.com

在 routes.rb 中执行通配符301重定向不是问题，但我想继续用户会话。由于新网域无法访问旧网域的Cookie，因此将用户重定向到新网域并仍然有他/她登录的最佳方式是什么（最安全，最简单）？

我发现很多线程谈论使用复杂的身份验证令牌方法设置跨域Web应用程序，但我正在寻找一次性单向迁移，

我使用的是Ruby on Rails，这是一个很好的解决方案。 3，OmniAuth，并使用默认的cookie_store作为会话存储。

解决方案

当您可能发送带有身份验证令牌的电子邮件链接时。检查以确认 example.org 上的Cookie是否正确，如果是，请将其重定向到：

  http://example.com?token=<their令牌> 
  

，然后检查以确保令牌与您在DB中获得的令牌匹配。如果令牌不匹配，请为 example.com 域创建会话Cookie，然后更改数据库中的令牌。

这将成功地从一个域转移到另一个域，同时通过更改数据库中的身份验证令牌来提供对新域的持久登录（通过cookie）和关闭后门。

EDIT

为了回答您的问题，我不认为您需要中间件或任何想法。您可以在example.org的应用程序控制器中进行一个简单的过滤，例如：

  before_filter：redirect_to_dot_com 
 ... 
 def redirect_to_dot_com 
 url =http://example.com+ request.fullpath 
 url = destination +（url.include？（'？'）？'& '：'？'）+token =＃{current_user.token}如果signed_in？ 
 redirect_to url，status：301 
 end 
  

如果用户在.org网站上登录，则将该令牌附加到查询。

My Rails app is currently available at example.org, but I want to switch to example.com

Doing a wildcard 301 redirect in routes.rb isn't a problem, but I would like to persist the user sessions as well. Since the new domain won't have access to the cookies of the old domain, what's the best (secure and as easy as possible) way to redirect the user to the new domain and still have him/her signed in?

I've found numerous of threads talking about setting up cross-domain web apps using complicated authentication tokens methods, but I'm looking for a one-time one-way migration so I'm hoping the solution will be simpler for this.

Any suggestions?

I'm using Ruby on Rails 3, OmniAuth, and using the default 'cookie_store' as my session store.

解决方案

You could just do it the same way as when you might send an email link with an authentication token. Check to verify that the cookie is correct on example.org and, if it is, redirect them to:

http://example.com?token=<their token>

and then check to make sure the token matches the one you have in the DB when they arrive. If the token does match, create the session cookie for the example.com domain and then change the token in the database.

This will successfully transfer from one domain to another while providing persistent login on the new domain (via cookie) and shutting the door behind them by changing the authentication token in the DB.

EDIT

To answer your question below, I don't think you need middleware or anything fancy. You could do a simple before filter in the application controller of example.org, something like:

before_filter :redirect_to_dot_com
...
def redirect_to_dot_com
  url = "http://example.com" + request.fullpath
  url= destination + (url.include?('?') ? '&' : '?') + "token=#{current_user.token}" if signed_in?
  redirect_to url, status: 301
end

That will redirect the user either way, and append the token to the query if the user is signed in on the .org site.

这篇关于切换到新域名时保留用户会话（Ruby on Rails）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！