On Tuesday, 4 August 2015 01:41:18 UTC-4, Hiroto Mukouhara wrote: > > The new session id is created when the http request header contains > 'Pragma'='no-cache' on our RoR environment. Our goal is that the session > id is preserved if the http request header contains 'Pragma'='no-cache'. > Please let us know how to preserve the session id. > > The detailed sequence is shown below: > > 1. The user downloads the Microsoft World file from RoR application, and > opens that file using 'Protected View'. > > 2. The user clicks the url link which is written in that Word file. The > clicked url link points to a page which is located on that RoR > application. > > 3. On opening that url link, the http request header contains > 'Pragma'='no-cache', and the new session id is created with the http > response header which contains 'Set-Cookie'. > > If the user opens that file not using 'Protected View' on the sequence 1, > the session id is preserved on the sequence 3. The http request header > doesn't contain 'Pragma'='no-cache'. >
I can't find much documentation for Protected View, but there's some indication that it may be fiddling with the context that the web request uses when you click on the link: https://onmessages.wordpress.com/2015/01/19/a-security-problem-has-occurred-in-word/ This may be a security restriction to prevent malicious documents from including hyperlinks to third-party sites that rely on the user's existing cookies to do XSS. --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/b1144751-fc88-4495-a8fe-4431c575841d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
