What does Rails 3 session_store domain :all really do?

OK, the way to accomplish this is to set the domain on the session cookie dynamically. To do this early enough it should be done as rack middleware:

# Custom Domain Cookie## Set the cookie domain to the custom domain if it's presentclass CustomDomainCookie  def initialize(app, default_domain)    @app = app    @default_domain = default_domain  end  def call(env)    host = env["HTTP_HOST"].split(':').first    env["rack.session.options"][:domain] = custom_domain?(host) ? ".#{host}" : "#{@default_domain}"    @app.call(env)  end  def custom_domain?(host)    host !~ /#{@default_domain.sub(/^\./, '')}/i  endend

I didn't think any of the existing answers directly answered the question in the title so I wanted to chip in.

When the client (browser) goes to a website, the website tells the client to set a cookie. When it does so, it specifies the cookie name, value, domain, and path.

:domain => :all tells Rails to put a dot in front of the cookie domain (which is whatever host your browser has browsed to), such that the cookie applies to all subdomains.

Here is the relevant code from Rails 4.1 (actionpack/lib/action_dispatch/middleware/cookies.rb):

  def handle_options(options) #:nodoc:    options[:path] ||= "/"    if options[:domain] == :all      # if there is a provided tld length then we use it otherwise default domain regexp      domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP      # if host is not ip and matches domain regexp      # (ip confirms to domain regexp so we explicitly check for ip)      options[:domain] = if (@host !~ /^[\d.]+$/) && (@host =~ domain_regexp)        ".#{$&}"      end    elsif options[:domain].is_a? Array      # if host matches one of the supplied domains without a dot in front of it      options[:domain] = options[:domain].find {|domain| @host.include? domain.sub(/^\./, '') }    end  end

I see you've already answered the second part of your question about allowing subdomains to have separate sessions.

tl;dr: Use @Nader's code. BUT I found I needed add it into my conifg/environments/[production|development].rb and pass my dot-prefixed-domain as an argument. This is on Rails 3.2.11

Cookie sessions are usually stored only for your top level domain.

If you look in Chrome -> Settings -> Show advanced settings… -> Privacy/Content settings… -> All cookies and site data… -> Search {yourdomain.com} You can see that there will be separate entries for sub1.yourdomain.com and othersub.yourdomain.com and yourdomain.com

The challenge is to use the same session store file across all subdomains.

Step 1: Use @Nader's CustomDomainCookie code

This is where Rack Middleware comes in. Some more relevant rack & rails resources:

• Railscasts about Rack
• Railsguide for Rack
• Rack documentation for sesssions abstractly and for cookie sessions

Basically what this does is that it will map all of your cookie session data back onto the exact same cookie file that is equal to your root domain.

Step 2: Add To Rails Config

Now that you have a custom class in lib, make sure are autoloading it. If that meant nothing to you, look here: Rails 3 autoload

The first thing is to make sure that you are system-wide using a cookie store. In config/application.rb we tell Rails to use a cookie store.

# We use a cookie_store for session dataconfig.session_store :cookie_store,                     :key => '_yourappsession',                     :domain => :all

The reason this is here is mentioned here is because of the :domain => :all line. There are other people that have suggested to specify :domain => ".yourdomain.com" instead of :domain => :all. For some reason this did not work for me and I needed the custom Middleware class as described above.

Then in your config/environments/production.rb add:

config.middleware.use "CustomDomainCookie", ".yourdomain.com"

Note that the preceding dot is necessary. See "sub-domain cookies, sent in a parent domain request?" for why.

Then in your config/environments/development.rb add:

config.middleware.use "CustomDomainCookie", ".lvh.me"

The lvh.me trick maps onto localhost. It's awesome. See this Railscast about subdomains and this note for more info.

Hopefully that should do it. I honestly am not entirely sure why the process is this convoluted, as I feel cross subdomain sites are common. If anyone has any further insights into the reasons behind each of these steps, please enlighten us in the comments.