I''m implementing a simpler version of the Cookie Session Store in Rails 2.0. If you know what that is, skip the next paragraph. A cookie session store stores the session data inside cookies, on the client, and signs them using a secret string, hashed together. The user can decode the cookie easily if they know much about computers and see what''s inside, but they can''t alter it because they can''t generate the needed hash to sign it, and the server will ignore all cookie session data that isn''t signed right. It''s neat, you don''t need a database, no file system clutter, and I think it feels really just a lot more natural this way. Trouble is, I''m trying to make it work as a drop in replacement for the camping sessions mixin so people can ''upgrade'' in either direction easily, consider this code however...> def service(*a) > if @cookies.identity > blob, secure_hash = @cookies.identity.to_s.split('':'') > blob = Base64.decode64(blob) > data = Marshal.restore(blob) > data = {} unless secure_blob_hasher(blob) == secure_hash > else > blob = '''' > data = {} > end > > app = self.class.name.gsub(/^(\w+)::.+$/, ''\1'') > @state = (data[app] ||= Camping::H[]) > hash_before = blob.hash > return super(*a) > ensure > if data > data[app] = @state > blob = Marshal.dump(data) > unless hash_before == blob.hash > secure_hash = secure_blob_hasher(blob) > @cookies.identity = Base64.encode64(blob).strip + '':'' + > secure_hash > end > end > endand there''s quite a problem, check out that line, return super(*a), and look at the camping source, and soon enough one realises the reason this doesn''t work at all is that the code inside the super is the code converting @cookies in to the Set-Cookie http header, so it''s too late to set a cookie by the time the ensure block runs and tries to save the session. What should I do? It feels dirty to copy code out of camping.rb that serializes the cookies, in effect making it do that job twice every time the session data and any other cookie data changes (which wouldn''t be a big deal for my app, but still seems nasty). Anyone got a better idea? ? Jenna ?Where''s my oats? Fox -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/camping-list/attachments/20080517/77520531/attachment.html>
I''m implementing a simpler version of the Cookie Session Store in Rails 2.0. If you know what that is, skip the next paragraph. A cookie session store stores the session data inside cookies, on the client, and signs them using a secret string, hashed together. The user can decode the cookie easily if they know much about computers and see what''s inside, but they can''t alter it because they can''t generate the needed hash to sign it, and the server will ignore all cookie session data that isn''t signed right. It''s neat, you don''t need a database, no file system clutter, and I think it feels really just a lot more natural this way. Trouble is, I''m trying to make it work as a drop in replacement for the camping sessions mixin so people can ''upgrade'' in either direction easily, consider this code however...> def service(*a) > if @cookies.identity > blob, secure_hash = @cookies.identity.to_s.split('':'') > blob = Base64.decode64(blob) > data = Marshal.restore(blob) > data = {} unless secure_blob_hasher(blob) == secure_hash > else > blob = '''' > data = {} > end > > app = self.class.name.gsub(/^(\w+)::.+$/, ''\1'') > @state = (data[app] ||= Camping::H[]) > hash_before = blob.hash > return super(*a) > ensure > if data > data[app] = @state > blob = Marshal.dump(data) > unless hash_before == blob.hash > secure_hash = secure_blob_hasher(blob) > @cookies.identity = Base64.encode64(blob).strip + '':'' + > secure_hash > end > end > endand there''s quite a problem, check out that line, return super(*a), and look at the camping source, and soon enough one realises the reason this doesn''t work at all is that the code inside the super is the code converting @cookies in to the Set-Cookie http header, so it''s too late to set a cookie by the time the ensure block runs and tries to save the session. What should I do? It feels dirty to copy code out of camping.rb that serializes the cookies, in effect making it do that twice every time the session data and any other cookie data changes (which wouldn''t be a big deal for my app, but still seems nasty). Anyone got a better idea? ? Jenna ?Where''s my oats? Fox -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/camping-list/attachments/20080517/ff1d77d5/attachment-0001.html>
Nice catch, cookies support never really felt complete to me. Maybe we should put it in a different module ? Cheers, zimbatm
I haven''t read through all of camping yet, I only started playing with it seriously a few days ago, so I don''t know where might be a better place for it. Maybe whatever it is which calls service could do the cookies. it would be nice if there was a way to set cookies long term too, though it isn''t really important and for my app, the only place I''d be using it is to duplicate the form filling out functionality for my openid login box that all modern browser''s already provide. It is really refreshing for cookies to be so simple. I have very mixed feelings about making them ''complete''. If more complete cookie support were added, that would surely include the setting of expiry, this opens up another big change in that many apps set the same cookie over and over even though nothing has changed because they want the expiry to always be, for example, one week after the last page the user loaded. The framework currently doesn''t make allowances for setting the same cookie over and over when no data has changed either. Maybe it''s best to stick with simple cookie support. If people really need much more I don''t feel it unfair for them to need to hack it in themselves or move up to rails and the likes. ? Jenna ?Where''s my equestrian hat?? Fox On 18/05/2008, at 2:41 AM, zimbatm wrote:> Nice catch, > > cookies support never really felt complete to me. Maybe we should put > it in a different module ? > > Cheers, > zimbatm > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list
On Sat, May 17, 2008 at 3:10 PM, Bluebie, Jenna <blueberry at creativepony.com> wrote:> > Maybe it''s best to stick with simple cookie support. If people really need > much more I don''t feel it unfair for them to need to hack it in themselves > or move up to rails and the likes. >Move to Rails? Now that''s just crazy talk. :P Anyone who wants "complete" cookie support can add a little bit of code to their Camping app that looks like this: module Learning::CookieWrapper def service(*a) @cgi_cookies = Camping::H.new @default_cookie = Camping::H.new.merge({ :path => ''/'' }) response = super(*a) @cgi_cookies.each do |name, settings| c = @default_cookie.merge(settings); c.name = name cookie = CGI::Cookie.new(c); headers[''Set-Cookie''].push(cookie.to_s) end response end end Then, in your controllers, you can add hashes to @cgi_cookie that will be used to instantiate CGI::Cookie objects. *Example Code:* http://github.com/beppu/learning/commit/c6559d42adaf8624d836ecb8b4f6bfaf53255e47 http://github.com/beppu/learning/tree/master/learning.rb (lines 35-48, 51) http://github.com/beppu/learning/tree/master/learning/controllers.rb (lines 142-150) *Live Demo:* http://learning.kicks-ass.org/ Submit a few bits of wisdom, and then go to: http://learning.kicks-ass.org/env Look at HTTP_COOKIE to verify that Camping can indeed have "complete" cookie support w/ just a little bit of extra code. Alternatively, if you have the Web Developer Toolbar for Firefox, you can look at [Cookies | View Cookie Information]. --beppu -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/camping-list/attachments/20080518/ecbab2d6/attachment-0001.html>