Rails: Can I use a different session store for a single controller or action?

Question

I'm adding oauth support (via omniauth) to a legacy Rails app. One complication to this app is that it uses subdomain-based multitenancy (for example account1.example.com, account2.example.com) and when registering our app with oauth providers, we need to specify full URLs for our callback — no wildcard domains allowed.

No problem, I'll just reserve oauth.example.com and register that.

The problem, though, is that our session ID cookies are set for account1.example.com and such. This makes CSRF protection break and also makes passing along the client's destination a lot tricker.

I can reconfigure our Rails app to set the session ID cookie on .example.com which fixes the CSRF issue. But! If I change that in production, it will invalidate every session for every user of our app. Not a showstopper, I guess, but pretty unfriendly.

So! As the only place I want to share cross-domain sessions is for our oauth actions — is there a way I can override the session handler on a per-controller basis?

Or would I maybe be looking to write a custom Rack middleware to override session handling for some requests…?