[Rails] sessions without cookies

Justin French justin.french at indent.com.au
Wed Jan 5 07:37:52 GMT 2005 

On 03/01/2005, at 11:37 PM, Jens-Christian Fischer wrote:

>> I agree that for online shopping, sessions encoded in the URL is a
>> security issue waiting to happen. But for some apps using cookies also
>> isn't an option because of browser limitations (e.g. most mobile
>> browsers). So it would be nice to have this option available to the
>
> I'm working on an application for mobile devices and have to go the  
> "session-in-url" route. So far I have just appended the session_id  
> into every URL I create manually.
>
>> developer. I think this could be quite easy to implement in a Rails
>> application, but I haven't got the time to dig into any Rails
>> development for the next month or so. Does anyone have an example of
>> how this could be implemented?
>
> Here's what I do:
>
> In the controllers:
>   redirect_to :action => "show", :controller => "stuff", :id =>  
> @stuff.id, :params => { "_session_id" => @session.session_id }
>
> and in a view:
> <%= link_to "show", { :action => "show", :controller => "stuff", :id  
> => @stuff.id,
>                       :params => { "_session_id" =>  
> @session.session_id } },
>                          { :accesskey => "*" }  -%>

I think these can be taken care of with default_url_options  
<http://api.rubyonrails.org/classes/ActionController/ 
Base.html#M000069>.

> and for forms you need an additional field with the session_id:
> <input name="_session_id" type="hidden" value="<%= @session.session_id  
> -%>"/>

... which could be taken care of with a helper, or perhaps the url_for  
method used in the form tag would propagate the session, removing the  
need for a form element.


> I have thought about how to move that into the framework. I could  
> imagine to extend the url_... methods to tag the session_id into the  
> URL if f.e. a global variable is true. Or the deluxe version:let the  
> framework figure out by itself, that there's no cookie support and  
> start writing the session into the URL.

Exactly (see my other post in this thread).

---
Justin French, Indent.com.au
justin.french at indent.com.au
Web Application Development & Graphic Design

More information about the Rails mailing list