Currently, staging and production share the same login session scope due to how the session cookie domain is configured.
In config/initializers/session_store.rb, we are stripping subdomains (including staging., stg. and app.) from SITE_URL:
domain = if Rails.env.staging? || Rails.env.production?
".#{ENV['SITE_URL'].gsub(/^(www\.)|^(app\.)|^(staging\.)|^(stg\.)/, '')}"
else
:all
end
Openfoodnetwork::Application.config.session_store(
:active_record_store,
key: "_ofn_session_id",
domain: domain
)
Because staging. is stripped, both environments resolve to the same root domain (e.g. .openfoodnetwork.org), which causes:
This appears to be an unintended side effect of a previous change meant to fix staging session behavior.
This issue aims to isolate sessions between environments while keeping login functionality intact.
You can simulate this locally using two subdomains:
/etc/hosts file:127.0.0.1 localhost
127.0.0.1 staging.localhost
You will observe that logging into one invalidates the other session because they share the same cookie domain.
You can confirm this by inspecting:
DevTools → Application → Cookies → _ofn_session_id
Use separate browsers or incognito mode for staging vs production.
bug-s3
A feature (session isolation) is broken but there is a workaround.
We should stop stripping staging., stg., app. and www. from SITE_URL.
Update this line:
".#{ENV['SITE_URL'].gsub(/^(www\.)|^(app\.)|^(staging\.)|^(stg\.)/, '')}"
To:
ENV['SITE_URL']
www. and app. subdomains as well. with the domain