Rails - Jan 2005 - sessions without cookies

hi!

is anybody of you using sessions without cookies (with get parameters 
instead)?

btw, what do you guys think, is it worth to support users which have 
cookies
disabled for a shop?

ciao!
florian

Currently, if users manage to get to the view shopping cart page with
an empty shopping cart I tell them how to enable cookies.

Session info in the URL are too dangerous for a shop i think. Someone
might post a link to a product on a board and everyone following this
link is logged with all user data available.

You can ip restrict sessions but that still leaves people behind big
proxy servers vulnerable ( ie AOL ).

I added a small log entry so i''ll be able to grep and see how often
this happens after my shop launches.

On Sun, 2 Jan 2005 21:22:03 +0100, Florian Weber
<csshsh-WuBoz9ku3QfAi70hqydFXw@public.gmane.org>
wrote:
> hi!
> 
> is anybody of you using sessions without cookies (with get parameters
> instead)?
> 
> btw, what do you guys think, is it worth to support users which have
> cookies
> disabled for a shop?
> 
> ciao!
> florian
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Tobi
http://blog.leetsoft.com

I agree that for online shopping, sessions encoded in the URL is a
security issue waiting to happen. But for some apps using cookies also
isn''t an option because of browser limitations (e.g. most mobile
browsers). So it would be nice to have this option available to the
developer. I think this could be quite easy to implement in a Rails
application, but I haven''t got the time to dig into any Rails
development for the next month or so. Does anyone have an example of
how this could be implemented?

Julian


On Sun, 2 Jan 2005 22:31:45 -0500, Tobias Luetke
<tobias.luetke-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Currently, if users manage to get to the view shopping cart page with
> an empty shopping cart I tell them how to enable cookies.
> 
> Session info in the URL are too dangerous for a shop i think. Someone
> might post a link to a product on a board and everyone following this
> link is logged with all user data available.
> 
> You can ip restrict sessions but that still leaves people behind big
> proxy servers vulnerable ( ie AOL ).
> 
> I added a small log entry so i''ll be able to grep and see how
often
> this happens after my shop launches.
> 
> On Sun, 2 Jan 2005 21:22:03 +0100, Florian Weber
<csshsh-WuBoz9ku3QfAi70hqydFXw@public.gmane.org> wrote:
> > hi!
> >
> > is anybody of you using sessions without cookies (with get parameters
> > instead)?
> >
> > btw, what do you guys think, is it worth to support users which have
> > cookies
> > disabled for a shop?
> >
> > ciao!
> > florian
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> 
> 
> --
> Tobi
> http://blog.leetsoft.com
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

> I agree that for online shopping, sessions encoded in the URL is a
> security issue waiting to happen. But for some apps using cookies also
> isn''t an option because of browser limitations (e.g. most mobile
> browsers). So it would be nice to have this option available to the
I''m working on an application for mobile devices and have to go the
"session-in-url" route. So far I have just appended the session_id
into every URL I create manually.
> developer. I think this could be quite easy to implement in a Rails
> application, but I haven''t got the time to dig into any Rails
> development for the next month or so. Does anyone have an example of
> how this could be implemented?
Here''s what I do:

In the controllers:
  redirect_to :action => "show", :controller =>
"stuff", :id => @stuff.id, :params => { "_session_id"
=> @session.session_id }

and in a view:
<%= link_to "show", { :action => "show", :controller
=> "stuff", :id => @stuff.id,
                      :params => { "_session_id" =>
@session.session_id } },
                         { :accesskey => "*" }  -%>

and for forms you need an additional field with the session_id:

<input name="_session_id" type="hidden"
value="<%= @session.session_id -%>"/>

I have thought about how to move that into the framework. I could imagine to
extend the url_... methods to tag the session_id into the URL if f.e. a global
variable is true. Or the deluxe version:let the framework figure out by itself,
that there''s no cookie support and start writing the session into the
URL. That however leaves the forms that still need the additional field.

Jens-Christian

in the

On 03/01/2005, at 2:31 PM, Tobias Luetke wrote:
> Currently, if users manage to get to the view shopping cart page with
> an empty shopping cart I tell them how to enable cookies.
>
> Session info in the URL are too dangerous for a shop i think. Someone
> might post a link to a product on a board and everyone following this
> link is logged with all user data available.
Well, from a business point of view, your client might say "it''s
too
dangerous to only rely on cookies, because I''ll loose sales",
which is
fair enough.

PHP''s trans-sid stuff is pretty good at deciding if a link or form 
needs to have the session ID appended, and the url_form link_to etc 
functions could surely be extended to take care of this automatically.
> You can ip restrict sessions but that still leaves people behind big
> proxy servers vulnerable ( ie AOL ).
All you need to do is bind the session to *something* constant on the 
client side... my current preferred method is to use the user agent 
string (even if it''s empty, it really should remain constant).  
Tracking the IP address as well (and only resetting the session if both 
change) would also be an option.

There''s a bunch of other tricks in PHP which I''m sure apply to
Rails as
well.  I learnt most of my PHP/Session/Security stuff off Chris 
Shifflet:

	http://shiflett.org/articles/the-truth-about-sessions
	http://shiflett.org/talks/phpworks2004/php-session-security

Sorry to drag the dirty acronym (PHP) in here, but perhaps all this can 
be integrated into Rails?


---
Justin French, Indent.com.au
justin.french-zULN+VWqVOIpAS55Wn97og@public.gmane.org
Web Application Development & Graphic Design

On 03/01/2005, at 11:37 PM, Jens-Christian Fischer wrote:
>> I agree that for online shopping, sessions encoded in the URL is a
>> security issue waiting to happen. But for some apps using cookies also
>> isn''t an option because of browser limitations (e.g. most
mobile
>> browsers). So it would be nice to have this option available to the
>
> I''m working on an application for mobile devices and have to go
the
> "session-in-url" route. So far I have just appended the
session_id
> into every URL I create manually.
>
>> developer. I think this could be quite easy to implement in a Rails
>> application, but I haven''t got the time to dig into any Rails
>> development for the next month or so. Does anyone have an example of
>> how this could be implemented?
>
> Here''s what I do:
>
> In the controllers:
>   redirect_to :action => "show", :controller =>
"stuff", :id =>
> @stuff.id, :params => { "_session_id" =>
@session.session_id }
>
> and in a view:
> <%= link_to "show", { :action => "show",
:controller => "stuff", :id
> => @stuff.id,
>                       :params => { "_session_id" =>  
> @session.session_id } },
>                          { :accesskey => "*" }  -%>
I think these can be taken care of with default_url_options  
<http://api.rubyonrails.org/classes/ActionController/ 
Base.html#M000069>.
> and for forms you need an additional field with the session_id:
> <input name="_session_id" type="hidden"
value="<%= @session.session_id
> -%>"/>
... which could be taken care of with a helper, or perhaps the url_for  
method used in the form tag would propagate the session, removing the  
need for a form element.

> I have thought about how to move that into the framework. I could  
> imagine to extend the url_... methods to tag the session_id into the  
> URL if f.e. a global variable is true. Or the deluxe version:let the  
> framework figure out by itself, that there''s no cookie support and
> start writing the session into the URL.
Exactly (see my other post in this thread).

---
Justin French, Indent.com.au
justin.french-zULN+VWqVOIpAS55Wn97og@public.gmane.org
Web Application Development & Graphic Design

Justin French wrote:
> All you need to do is bind the session to *something* constant on the 
> client side... my current preferred method is to use the user agent 
> string (even if it''s empty, it really should remain constant).  
> Tracking the IP address as well (and only resetting the session if 
> both change) would also be an option.
>
> There''s a bunch of other tricks in PHP which I''m sure
apply to Rails
> as well.  I learnt most of my PHP/Session/Security stuff off Chris 
> Shifflet:
>
>     http://shiflett.org/articles/the-truth-about-sessions
>     http://shiflett.org/talks/phpworks2004/php-session-security
>
> Sorry to drag the dirty acronym (PHP) in here, but perhaps all this 
> can be integrated into Rails? 
Those were some good articles--thanks for sharing.  And you don''t need 
to apologize about PHP. :-)  It is a decent language that many of us 
learned how to do web programming on, and I still think that good web 
apps can be written with it.  I prefer ruby/rails, but given the choice 
between Java and PHP for web programming, I''d choose PHP anyday.