How maintain users authentications\sessions through multiple application?

I am using Ruby on Rails 3 and I have 3 web applications:

<site_name>.com
users.<site_name>.com
resources.<site_name>.com

Notice: At this time I have applications on the same server, but in future I can choose to deploy those on separated web servers. So, I would like not use the common solution:

config.session_store :cookie_store, :key => '<whatever key>', :domain => :all

Consider this in your answer.

I would like to handle user authentications\sessions through all those applications so that a user must authenticate himself only one time. That is, I would like to sign in a user on users.<site_name>.com and then maintain its session on browsing other applications.

So, question are:

1. What do you advice in order to implement these functions? Do that writing own code or using gem(s)\plugin(s)? If the latter, what gem(s)\plu开发者_开发百科gin(s) combination do you advice to use?

2. I have heard of the OAuth protocoll: in my case (also if at this time I need to authorizate users only through my applications) is it right to use that? If so, what gem(s)\plugin(s) can I use to achieve that?

If you're always going to have these servers on *.<site_name>.com then you could use a cookie written to the <site_name>.com scope to track and authenticate this user. Obviously you do have to be careful about this and make sure that a) the cookie is transferred via HTTPS (secure cookie) and that b) that each server validates the cookie via some sort of web service.

I suggest looking into Warden and the warden_rails gem. On top of this basic well documented authentication foundation you can write "strategies" to validate users using a cookie and read in the session information from a central datasource.

if they all run under the same domain the easiest would be to make sure your cookies are valid for all subdomains. in your production.rb:

config.session_store :cookie_store, :key => '<whatever key>', :domain => :all

the :domain => :all causes your cookies to be valid across all subdomains. just make sure the key and also your session secret token are the same in all apps.