On 24 Nov 2010, at 15:58, Xdmx Xdmx wrote:
Mmm.. but in this case you're considering that there are two separated
applications, but actually there is only one application which manage
both the main and the external apps/domains.
The signin/signup page will be on the main address (in order to have a
correct ssl from the main domain), but then the user will be
redirected
back to the external domain. This shouldn't be a big problem, my worry
is about the session cookie, having it set on the main domain it would
refer to it, and it actually won't be in the external one. Otherwise
to
solve it the signup/signin page could be on the external domain too,
but
without a ssl page it wouldn't be so cool (actually it would be better
on everypage, but i'm worried that it would overcomplicate a lot all
the
system)
The simple fact of the matter is that sessions can only be created on
the domain in the url (subdomains can share a session, but the domain
is still the same).
In your case, if a secure page to login is a requirement and you don't
want to buy a certificate for every single domain that registers your
app, you will have to use some form of interdomain communication to
authenticate the session in the external domain. It doesn't matter if
the authentication is actually in the same app or a separate one. The
domain is the unique identifier here, not the app itself. (And SSL
certificates shouldn't be implemented for coolness, but I get your
point ;-))
I have quite a bit of other stuff on my mind right now, but something
like this comes to mind:
- Browse to external domain http://external.domain.com/
- No session => redirect to main domain login page (passing in the
originating domain as a parameter) https://maindomain.com/login?domain=external.domain.com
- User enters login data, your app verifies the credentials and writes
an expiring token (a few seconds should be enough) to the user table
for the user logging in and then redirects to http://external.domain.com/login?token=af8117c03b3f01b20b9360f2fb5fee57
- Your external domain will be able to verify which user it's about
and build the session on the external domain.
It's very important here that the token you use expires fairly quickly
so sessions can't be hijacked.
Maybe some people will read this and raise some security concerns that
I haven't thought of, but as I said, I'm just saying what comes to
mind without thinking much further :-)
Best regards
Peter De Berdt
--
You received this message because you are subscribed to the Google Groups "Ruby on
Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
