I'm trying to share a Devise session cookie for authentication purposes between two Rails apps on the same TLD but living on different subdomains. One app is v4.2.11.1, and the other is v6.0.3.2. I want to login on the Rails 4 app, and access the authenticated user info in the Rails 6 app. The session cookie is set fine when logging in on the Rails 4 app, but it seems to get completely wiped out/reset when trying to access it in the Rails 6 app.
.example.com.tld_length is set to 2 in both apps.:marshal in both apps.secret_key_base in both apps. In the Rails 4 app, it is set via the ENV['SECRET_KEY_BASE'] env var. In the Rails 6 app, it's set via Rails credentials, e.g. config/credentials/<env>.yml.enc.Devise.secret_key is the same in both apps.There might be other things going on in your specific case, but it is worth nothing that there have been two backward-incompatible changes to session cookies since Rails 4 that you'll need to look at.
To improve security, Rails now embeds the expiry information also in encrypted or signed cookies value.
This new embed information make those cookies incompatible with versions of Rails older than 5.2.
If you require your cookies to be read by 5.1 and older, or you are still validating your 5.2 deploy and want to allow you to rollback set
Rails.application.config.action_dispatch.use_authenticated_cookie_encryptiontofalse.
To improve security, Rails embeds the purpose information in encrypted or signed cookies value. Rails can then thwart attacks that attempt to copy the signed/encrypted value of a cookie and use it as the value of another cookie.
This new embed information make those cookies incompatible with versions of Rails older than 6.0.
If you require your cookies to be read by Rails 5.2 and older, or you are still validating your 6.0 deploy and want to be able to rollback set
Rails.application.config.action_dispatch.use_cookies_with_metadatatofalse.