Hi all,
Reviving this old thread with a I am developing a site that needs to be accessible to mobile phones, and I am having issues with session tracking. While the default "cookie_only" session tracking makes a lot of sense (it prevents session fixation attacks), there are these cases when your clients do not support cookies (say, many mobile phones, for example) and you just need to do request-parameter-based session tracking. One should be able to use the "cookie_only" session option and set it to "false" where appropriate, but this is seriously broken in Rails 2.3. >From my tests so far: 1) Setting a default by adding "config.action_controller.session = {:cookie_only => false}" in environment.rb DOES work. 2) Inside your controller (say, a before_filter method), "request.session_options[:cookie_only] = false" to false will NOT work. Unfortunately, 1) is not an acceptable solution, as it opens the whole site to session fixation attacks. FWIW, I think I have traced down the culprit to the load_session method in active_store.rb around line 165: sid = request.cooki...@key] unless @cookie_only sid ||= request.para...@key] end This code becomes a problem in 2.3, because the session has been pushed down to the Rack middleware layer, where your abstract_store gets initialized once and for all, way before any of your controller code gets executed. As a result, your abstract_store's @cookie_only and @key are set once and for all, according to the default session options. Any further changes to the session_options[:cookie_only] or session_options[:key] will simply be ignored. Here is a tentative monkey patch that restores the proper functionality of session_options[:cookie_only] and session_options[:key]. HTH. ####################################################################### # Monkey patch to allow per-controller/action setting of :cookie_only # and :key session options ####################################################################### module ActionController module Session class AbstractStore private def load_session(env) request = Rack::Request.new(env) key = request.session_options[:key] cookie_only = request.session_options[:cookie_only] sid = request.cookies[key] unless cookie_only sid ||= request.params[key] end sid, session = get_session(env, sid) [sid, session] end end end end -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---