Topic: cookie based auth doesn't differentiate between environment?

Hey guys,

I'm thinking I must be missing something because it doesn't make sense to me why this wouldn't be configured by default in Rails.

It seems to me that if you run 2 instances of the same Rails app (i.e. staging and production environments), then authentication on one instance carries over to the other and vice versa.  For example, suppose I have the same user 'bob' defined in both instances of the application.  If I log in as 'bob' on staging, and then open a tab to the production app, bob is automatically logged in.

I can see why - the app recognizes its own authentication cookie, the user exists and so he is authenticated.  But this doesn't seem like secure default behaviour.  Wouldn't it make more sense if the cookie was different for a different environment, perhaps by including the environment name in the session key?
:key         => '#{app_name}_#{RAILS_ENV}_session'

Thanks for your thoughts,