Rails 7, dynamically setting the session cookie by domain & subdomain

[culov]

I have a Rails 7 app using Devise for authentication, that signs up a new user on the www.my-site.com subdomain and redirects them to the actual app after signup at dashboard.my-site.com. Also, my multi-tenant app gives subdomains to each user, so user-10.my-site.com, which must have it's own separate cookies too.

I wrote custom middleware to solve this problem (mostly outlined in this answer), but it turns out that this doesn't appear to work anymore, since at least Rails 5.

You can try to set the cookie key with env['rack.session.options'][:key] = "my-dynamic-key" or Rails.application.config.session_store :cookie_store, key: "_myapp_session", domain: custom_domain(host), tld_length: 2 - but the actually cookie key on the client never changes. From what I can tell, it's no longer possible to set cookies dynamically using middleware with Rails. The cookie attributes (key, domain, etc.) always remain as the defaults provided when the application begins.

There are plenty of answers on the internet that reference this old way of dynamically setting cookies. But it just doesn't work. I created a new Rails project to ensure that it wasn't something in my project that was breaking it - and alas, the custom middleware didn't work there either.

I've spent the last several days trying to understand why it doesn't work anymore, and what a potential resolution might be, but I have no answers. Does anyone have any ideas?

[ioquatix]

What part of Rack is responsible for this behaviour?

[culov]

I'm having trouble tracking down where problem lies. My understanding, is that I should be able to set env['rack.session.options'][:key] = "new-key" in middleware, and the cookie store session options should to be updated for that particular request. That's not happening. Is my understanding of how it's supposed to work incorrect? Or is perhaps the problem somewhere inside of Rails instead of Rack?

[wtn]

This is a Rails issue more than a Rack issue, so it's better for the Rails Forum or a similar venue.

Rails configuration options generally get set at application boot and aren't intended to be reconfigured dynamically, per request or otherwise. So the current Rails behavior as you described it sounds about right.

You don't need to configure the session store to set a cookie for a specific literal domain name. Instead, let Rails set the cookie either for the current request domain or all subdomains of the current request domain.

My suggestion would be to use a session cookie that includes the base domain and all subdomains:

Rails.application.configure do
  config.session_store :cookie_store, key: '_my_app_session', domain: :all
end

After a successful login, set in the session cookie which subdomain(s) the user has access to:

session[:authorized_tenants] = ['rwcj']

Then, check the authorized tenants before allowing access to resources that require authorization.

Alternately, after a successful login, you can redirect the client to a URI with the desired tenant subdomain and a secure token. The server then validates the token and sets the session cookie for that subdomain only.