Allow sessions to work across subdomains #8090
Conversation
Codecov Report
@@ Coverage Diff @@
## master #8090 +/- ##
==========================================
- Coverage 93.21% 93.15% -0.07%
==========================================
Files 645 646 +1
Lines 18161 18176 +15
==========================================
+ Hits 16928 16931 +3
- Misses 1233 1245 +12
Continue to review full report at Codecov.
|
Matt-Yorkley
force-pushed
the
session-storage
branch
2 times, most recently
from
72692ff to
dd00357
Compare
Currently sessions set on (www.openfoodnetwork.xxx) are not usable on the bare domain (openfoonetwork.xxx). When transitioning from one to the other, the user's session is completely lost. This change means sessions on subdomains (including www) will be transferable.
This checks if the current request has been submitted using the old session key (_session_id) and transparently migrates the session id to a new session cookie with the new settings and the new key (_ofn_session_id).
The session cookie is now named `_ofn_session_id` instead of `_session_id`.
Matt-Yorkley
force-pushed
the
session-storage
branch
from
dd00357 to
39372f7
Compare
| @@ -1,10 +1,11 @@ | |||
| # Be sure to restart your server when you modify this file. | |||
|
|
|||
| # The cookie_store can be too small for very long URLs stored by Devise. | |||
| # The maximum size of cookies is 4096 bytes. | |||
| #Openfoodnetwork::Application.config.session_store :cookie_store, key: '_openfoodnetwork_session' | |||
| Openfoodnetwork::Application.config.session_store( | ||
| :active_record_store, | ||
| key: "_ofn_session_id", | ||
| domain: :all, |
There was a problem hiding this comment.
This is the line that does the magic, correct? By passing these additional arguments it shares cookies across all subdomains?
There was a problem hiding this comment.
Yeah, the domain: :all and tld_length: 2 options mean the session cookie will work across any subdomains.
The name change is necessary here, as you can't modify the primary attributes of an existing cookie with the same name. If we didn't do it the changes wouldn't take effect until the user fully logged out and back in, and we don't know when that would happen.
|
I've followed the test procedure, but I have not seen a change in the cookie name. Am I looking at the wrong place? Before deployment:
After:
|
RachL
added
feedback-needed
pr-staged-fr
|
@RachL you also have |
|
@sigmundpetersen you are a ⭐ 🤗 I need new glasses!! That being said it does not 100% validate the test. So I will wait for @Matt-Yorkley or @andrewpbrett to confirm this can move to ready to go :) |
|
The biggest thing is that the value of the cookie didn't change, but it does look like we were expecting the old cookie to be deleted. I'd wait until @Matt-Yorkley can take a look to see why that might not have worked as expected. |
|
Weird, it was working when I tested it. I did notice the storage/cookies section in the browser console in Firefox sometimes doesn't show updated values until you close it and re-open it... seems like a minor bug in Firefox 🤷♂️ I'll take another look. We shouldn't merge it if the old cookie is not removed 👍 |
|
I just retested with both Chrome and Firefox, and the old session cookie was correctly removed. It didn't show the change correctly in Firefox until I closed and reopened the dev toolbar (as mentioned above). |
|
@Matt-Yorkley indeed, I have just re-tested. All good, this is ready to go! |
What? Why?
First part of dealing with openfoodfoundation/ofn-install#643
Allows session storage to work across subdomains of the main host. This includes
www., which is technically a subdomain. After this we should be able to implement a redirect without destroying all active sessions when we introduce it. 💪Review note: the
SessionCookieUpgradercode is temporary; we can remove it after it's been in production for a week or so.What should we test?
_session_idan it should have a long random set of numbers and letters. Note it down._ofn_session_idand the long random identifier should be the same.Release notes
Enabled sessions to pass seamlessly between subdomains, including www
Changelog Category: Technical changes