[Rails] sessions without cookies
Jens-Christian Fischer
jcf at invisible.ch
Mon Jan 3 12:37:07 GMT 2005
> I agree that for online shopping, sessions encoded in the URL is a
> security issue waiting to happen. But for some apps using cookies also
> isn't an option because of browser limitations (e.g. most mobile
> browsers). So it would be nice to have this option available to the
I'm working on an application for mobile devices and have to go the "session-in-url" route. So far I have just appended the session_id into every URL I create manually.
> developer. I think this could be quite easy to implement in a Rails
> application, but I haven't got the time to dig into any Rails
> development for the next month or so. Does anyone have an example of
> how this could be implemented?
Here's what I do:
In the controllers:
redirect_to :action => "show", :controller => "stuff", :id => @stuff.id, :params => { "_session_id" => @session.session_id }
and in a view:
<%= link_to "show", { :action => "show", :controller => "stuff", :id => @stuff.id,
:params => { "_session_id" => @session.session_id } },
{ :accesskey => "*" } -%>
and for forms you need an additional field with the session_id:
<input name="_session_id" type="hidden" value="<%= @session.session_id -%>"/>
I have thought about how to move that into the framework. I could imagine to extend the url_... methods to tag the session_id into the URL if f.e. a global variable is true. Or the deluxe version:let the framework figure out by itself, that there's no cookie support and start writing the session into the URL. That however leaves the forms that still need the additional field.
Jens-Christian
in the
More information about the Rails
mailing list