I have a Rails forum product that resides under the subdomains of my customers (i.e. http://forum.customer.com). Their main site has a CMS and an authentication system, and my forum product has a separate authentication system. Is there an elegant way to have "cross-signins" across these systems? I want s开发者_开发技巧omeone already logged into the main CMS to seamlessly (as possible) transition into my product.
It all depends on how the main site keeps track of the user's session.
This is usually done using a cookie; I'm just going to assume it is. The browser stores this cookie with the domain it came from, and will attach it again with any new request going to that domain or a subdomain of it.
You will want to check that the cookie is attached to the customer.com
domain, and not for example www.customer.com
. This is because forum.customer.com
is a subdomain of the former, but not the latter. You won't see the cookie at all in your forum software in the latter case. The CMS software has some control over which exact domain the cookie is attached to.
Most browsers have an option to show you which cookies are stored for a particular site. Firefox, for example, has a “Page info” option in the right click menu. In Chrome, you can hit Ctrl+Shift+I to get to the developer tools, and look under the “Storage” tab.
The cookie likely contains one of the following:
- Actual data, such as the username.
- A session ID that the CMS can look up in it's database, and thus retrieve the username.
In either case, it is also likely a salted hash is included, which prevents the user from tampering with the cookie's data.
You can access the cookie in Rails by name, using simply cookies[:something]
from within your controller. This is documented in ActionController::Cookies, (which is mixed into ActionController::Base
).
Once you have the cookie's data, you'll have to imitate whatever your CMS does. You'll probably have to (in order):
- Verify the cookie's integrity, by (re-)applying a hash function to the cookie data, and comparing that to the hash included with the cookie.
- Connect to the CMS database.
- Possibly query for the session ID.
- Query for the user's profile.
精彩评论