Hi, Had a quick question regarding the piggyback SSL implementation. We have a very standard Rails application hosted on Heroku with a custom domain. Users can log into our site and we're using Authlogic for handling user login.
Without using any SSL, the login works fine because the login form simply posts the user's login credentials back to Heroku using our custom domain name. However, when we enable the piggyback SSL, we obviously have to fall back to posting the login form to our heroku.com subdomain. The user login now fails because we're posting login credentials to our Heroku subdomain via SSL (which the auth cookies are stored under), yet redirecting the user post-login to a page back under our custom domain (which doesn't have the auth cookies). If, post-login, we keep the user on our Heroku subdomain then authentication continues to work as expected. So clearly the problem is that the actual, SSL encrypted login is occurring under one domain, but the subsequent redirect is occurring on our custom domain. Since the original auth cookie is only under the Heroku subdomain, the user is effectively not logged in for browsing using our custom domain. As much as we love Heroku, we'd ideally like to keep the custom domain name the only one visible in the address bar. The only way I can see to work around this is to pass a perishable token in a URL string as part of a redirect from the Heroku subdomain to our custom domain, then set the cookie once we're back under our custom domain. This effectively follows the model of how things would work if the user did not have cookies enabled. I'm just wondering if people have any other ideas on how to get around this. Thanks in advance for any comments or suggestions. Kenny
-- You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/heroku?hl=en.
