Rails,Devise和多个域 [英] Rails, Devise, and multiple domains
问题描述
example.com,example.net, foobar.com,...
我有一个基于Devise的身份验证系统,以前工作正常。但是,目标是将HTTPS添加到登录系统。问题是,事实证明,没有办法在同一个IP地址**上托管多个HTTPS网站。要解决此问题,我设置登录页面始终POST到 https://secure.example.com 。据我所知,这是正常的。设计似乎没有质量。然而,棘手的部分是用户现在需要重定向到foobar.com,这也需要了解用户登录。我通过该网站返回到登录表单中的隐藏参数,重定向工作正常。我还没有办法通知foobar.com该用户现在已经登录。
我已经设法设置,以便在返回到foobar时。 com,它将用户的secure.example.com的会话cookie复制到foobar.com的新Cookie中。这部分工作正常。然而,在Rails控制台中,对请求secure.example.com和foobar.com的Web请求(每个发送相同的cookie)都会产生两个完全不同的会话,因此,Devise的行为就像用户从未登录过foobar.com
有人知道为什么这不行 - 为什么两个相同的Web请求(只有请求URI的域不同 - 我在Firebug中尝试过,也将在Rails 3应用程序中产生两个完全不同的会话,具有不同但一致的会话ID?更重要的是,有没有人知道如何做这项工作?
*假设,为了本练习的目的,这是不可避免的,网站不能托管所有在不同的子域下,所需域名数量太大,无法为每个域名获取单独的IP地址。
**除非它们是子域名,而且您有*
如果您已经在使用Devise,建议您尝试使用令牌可认证。您可以为有问题的用户生成令牌,使用令牌将其重定向以登录,然后在令牌登录后快速过期。
您还可以尝试使用门卫滚动您自己的OAuth提供商。
Let's say I have an application that's going to be accessed from completely different domains that all point at the same server*:
example.com, example.net, foobar.com, ...
I have a Devise based authentication system that's worked fine before. However, the goal is now to add HTTPS to the sign in system. The problem is, as it turns out, there is no way to host more than one HTTPS website on the same IP address**. To resolve this problem, I set up the login pages to always POST to https://secure.example.com. As far as I can tell, this is working fine. Devise seems to have no qualm with it. However, the tricky part is that the user now needs to be redirected to foobar.com, which also needs to understand that the user is logged in. I pass the site to return to in a hidden parameter in the login form, and the redirection works fine. I still have no way to inform foobar.com that the user is now logged in.
I've managed to set it up so that, upon being returned to foobar.com, it copies the user's session cookie for secure.example.com into a new cookie for foobar.com. This part is working fine. However, in the Rails console, the web requests for secure.example.com and foobar.com - with the same cookie sent for each - produce two completely different sessions and therefore, it's no wonder Devise acts like the user was never logged in to foobar.com
Does anyone know why this wouldn't work - why two identical web requests (only the domain of the request URI was different - I tried it in Firebug, too) would produce two completely different sessions in a Rails 3 app with different, yet consistent, session ids? More to the point, does anyone know how to MAKE this work?
* assume, for the purposes of this exercise, that this is unavoidable and the sites cannot be hosted all under different subdomains, and that the number of domains required is too great to get a separate IP address for each.
** unless they're subdomains and you have an *.example.com cert, but that's beside the point.
If you're already using Devise, I suggest you try using token authenticatable. You can generate a token for the user in question, redirect them with the token to sign in, and then quickly expire the token after they have signed in.
You could also try rolling your own OAuth provider with doorkeeper.
这篇关于Rails,Devise和多个域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
