[Rails] sessions without cookies
Julian Wegkamp
j.s.wegkamp at gmail.com
Mon Jan 3 11:01:56 GMT 2005
I agree that for online shopping, sessions encoded in the URL is a
security issue waiting to happen. But for some apps using cookies also
isn't an option because of browser limitations (e.g. most mobile
browsers). So it would be nice to have this option available to the
developer. I think this could be quite easy to implement in a Rails
application, but I haven't got the time to dig into any Rails
development for the next month or so. Does anyone have an example of
how this could be implemented?
Julian
On Sun, 2 Jan 2005 22:31:45 -0500, Tobias Luetke
<tobias.luetke at gmail.com> wrote:
> Currently, if users manage to get to the view shopping cart page with
> an empty shopping cart I tell them how to enable cookies.
>
> Session info in the URL are too dangerous for a shop i think. Someone
> might post a link to a product on a board and everyone following this
> link is logged with all user data available.
>
> You can ip restrict sessions but that still leaves people behind big
> proxy servers vulnerable ( ie AOL ).
>
> I added a small log entry so i'll be able to grep and see how often
> this happens after my shop launches.
>
> On Sun, 2 Jan 2005 21:22:03 +0100, Florian Weber <csshsh at structbench.com> wrote:
> > hi!
> >
> > is anybody of you using sessions without cookies (with get parameters
> > instead)?
> >
> > btw, what do you guys think, is it worth to support users which have
> > cookies
> > disabled for a shop?
> >
> > ciao!
> > florian
> >
> > _______________________________________________
> > Rails mailing list
> > Rails at lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
> --
> Tobi
> http://blog.leetsoft.com
> _______________________________________________
> Rails mailing list
> Rails at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
More information about the Rails
mailing list