[Rails] Re: How to preserve the session id whether the http request header contains 'Pragma'='no-cache'.
On Friday, August 7, 2015 at 8:49:20 AM UTC+1, Hiroto Mukouhara wrote: > > On Tuesday, August 4, 2015 at 6:41:18 AM UTC+1, Hiroto Mukouhara wrote: > >> >>> Does the request in 3 have a cookie header? >> >> Fred >> > > Thank you for your quick response. The request in 3 does not have a > cookie header if the open mode is 'Protected View' or not. > > So there's your problem. if the cookie header is not set then rails will think there is no existing session. As Matt says, this is probably a security thing. Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e68c5c45-2f07-4c47-b81d-c51e6336bbf2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Rails] Re: How to preserve the session id whether the http request header contains 'Pragma'='no-cache'.
2015年8月6日木曜日 4時32分05秒 UTC+9 Matt Jones: > > > > On Tuesday, 4 August 2015 01:41:18 UTC-4, Hiroto Mukouhara wrote: >> >> The new session id is created when the http request header contains >> 'Pragma'='no-cache' on our RoR environment. Our goal is that the session >> id is preserved if the http request header contains 'Pragma'='no-cache'. >> Please let us know how to preserve the session id. >> >> The detailed sequence is shown below: >> >> 1. The user downloads the Microsoft World file from RoR application, and >>opens that file using 'Protected View'. >> >> 2. The user clicks the url link which is written in that Word file. The >>clicked url link points to a page which is located on that RoR >>application. >> >> 3. On opening that url link, the http request header contains >>'Pragma'='no-cache', and the new session id is created with the http >>response header which contains 'Set-Cookie'. >> >> If the user opens that file not using 'Protected View' on the sequence 1, >> the session id is preserved on the sequence 3. The http request header >> doesn't contain 'Pragma'='no-cache'. >> > > I can't find much documentation for Protected View, but there's some > indication that it may be fiddling with the context that the web request > uses when you click on the link: > > > https://onmessages.wordpress.com/2015/01/19/a-security-problem-has-occurred-in-word/ > > This may be a security restriction to prevent malicious documents from > including hyperlinks to third-party sites that rely on the user's existing > cookies to do XSS. > > --Matt Jones > Thanks for your insight. I'll check the detail of that page. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/650cc303-3fca-465b-9515-d3c3d977963e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Rails] Re: How to preserve the session id whether the http request header contains 'Pragma'='no-cache'.
2015年8月5日水曜日 19時52分01秒 UTC+9 Frederick Cheung: > > > > On Tuesday, August 4, 2015 at 6:41:18 AM UTC+1, Hiroto Mukouhara wrote: >> >> The new session id is created when the http request header contains >> 'Pragma'='no-cache' on our RoR environment. Our goal is that the session >> id is preserved if the http request header contains 'Pragma'='no-cache'. >> Please let us know how to preserve the session id. >> >> The detailed sequence is shown below: >> >> 1. The user downloads the Microsoft World file from RoR application, and >>opens that file using 'Protected View'. >> >> 2. The user clicks the url link which is written in that Word file. The >>clicked url link points to a page which is located on that RoR >>application. >> >> 3. On opening that url link, the http request header contains >>'Pragma'='no-cache', and the new session id is created with the http >>response header which contains 'Set-Cookie'. >> >> If the user opens that file not using 'Protected View' on the sequence 1, >> the session id is preserved on the sequence 3. The http request header >> doesn't contain 'Pragma'='no-cache'. >> >> >> > Does the request in 3 have a cookie header? > > Fred > Thank you for your quick response. The request in 3 does not have a cookie header if the open mode is 'Protected View' or not. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e4d9c76e-c782-4378-9986-cae75a248d00%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Rails] Re: How to preserve the session id whether the http request header contains 'Pragma'='no-cache'.
On Tuesday, 4 August 2015 01:41:18 UTC-4, Hiroto Mukouhara wrote: > > The new session id is created when the http request header contains > 'Pragma'='no-cache' on our RoR environment. Our goal is that the session > id is preserved if the http request header contains 'Pragma'='no-cache'. > Please let us know how to preserve the session id. > > The detailed sequence is shown below: > > 1. The user downloads the Microsoft World file from RoR application, and >opens that file using 'Protected View'. > > 2. The user clicks the url link which is written in that Word file. The >clicked url link points to a page which is located on that RoR >application. > > 3. On opening that url link, the http request header contains >'Pragma'='no-cache', and the new session id is created with the http >response header which contains 'Set-Cookie'. > > If the user opens that file not using 'Protected View' on the sequence 1, > the session id is preserved on the sequence 3. The http request header > doesn't contain 'Pragma'='no-cache'. > I can't find much documentation for Protected View, but there's some indication that it may be fiddling with the context that the web request uses when you click on the link: https://onmessages.wordpress.com/2015/01/19/a-security-problem-has-occurred-in-word/ This may be a security restriction to prevent malicious documents from including hyperlinks to third-party sites that rely on the user's existing cookies to do XSS. --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/b1144751-fc88-4495-a8fe-4431c575841d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Rails] Re: How to preserve the session id whether the http request header contains 'Pragma'='no-cache'.
On Tuesday, August 4, 2015 at 6:41:18 AM UTC+1, Hiroto Mukouhara wrote: > > The new session id is created when the http request header contains > 'Pragma'='no-cache' on our RoR environment. Our goal is that the session > id is preserved if the http request header contains 'Pragma'='no-cache'. > Please let us know how to preserve the session id. > > The detailed sequence is shown below: > > 1. The user downloads the Microsoft World file from RoR application, and >opens that file using 'Protected View'. > > 2. The user clicks the url link which is written in that Word file. The >clicked url link points to a page which is located on that RoR >application. > > 3. On opening that url link, the http request header contains >'Pragma'='no-cache', and the new session id is created with the http >response header which contains 'Set-Cookie'. > > If the user opens that file not using 'Protected View' on the sequence 1, > the session id is preserved on the sequence 3. The http request header > doesn't contain 'Pragma'='no-cache'. > > > Does the request in 3 have a cookie header? Fred -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/a33ea547-88bd-423a-a68b-a5e450fd1a43%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
