From what I read (but I could be wrong) sessions in Rails won''t work unless users have cookies enabled. Java overcomes this problem putting the session ID at the end of the links you use as a parameters to all the requests, and using that parameter instead of the cookie. Looks like this shouldn''t be a big issue using the to_url method. Has anyone ever thinked about it? Has it already been done?
Some people have talked about this once alredy on the list: http://wrath.rubyonrails.org/pipermail/rails/2005-January/ thread.html#1357 Unfortunately Rails doesn''t have a built-in solution to this. The problem I see with setting the Session id with default_url_options is that it''s *always* gonna be set in links, regardless whether the client has cookies or not. They shouldn''t be set when the client has cookies. PHP solves by always adding the session id to all the links on the first request by a client, and subsequent requests only have the session id appended if the client doesn''t support cookies. It''s a big shortcoming because either we all have to close the door to all the clients that don''t support cookies, something which is not acceptable in a commercial environment, or each one of us throws together some code again and again to make Rails support this more or less. Are there any Rails core developers that care to elaborate why the decision was taking of not supporting something like PHP''s trans-sid at all? Oh and if anyone has solved this and cares to share some code, that would be awesome :) roob On Sep 29, 2005, at 12:45 PM, Leonardo Francalanci wrote:> From what I read (but I could be wrong) sessions in Rails won''t > work unless users have cookies enabled. Java overcomes this problem > putting the session ID at the end of the links you use as a > parameters to all the requests, and using that parameter instead of > the cookie. Looks like this shouldn''t be a big issue using the > to_url method. Has anyone ever thinked about it? Has it already > been done? > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > >
There seems to be a bug that has been first reported by "mklame" (the bug is quite old, it was reported about a year ago): http://dev.rubyonrails.com/ticket/210 That bug prevents session_ids being successfully transported across POST requests. This means that serving Rails pages that use sessions to people without cookies is EFFECTIVELY BROKEN currently. Here are the cases where transporting the session_id in a form work, and where they don''t work. a) BROKEN: A form with the _session_id in the action, and a normal/ default enctype (application/x-www-form-urlencoded). b) BROKEN: A form with the _session_id in the action, and an enctype="multipart/form-data". c) WORKS: A form with the _session_id in a hidden field, and a normal/default enctype (application/x-www-form-urlencoded). c) BROKEN: A form with the _session_id in a hidden field, and an enctype="multipart/form-data". WORKS means that the _session_id on the target page is successfully handled, i.e. the session object "absorbs" the session id from the params BROKEN means that the _session_id on the target page is NOT handled successfully, i.e. a NEW session object is created, regardless of the fact that there''s a _session_id attribute in the params Does anyone have an idea whether this is a CGI.rb bug or Rails bug? I''m launching a project in a couple of weeks, and I need to support people that don''t have cookies. Any ideas would be apppreciated :) Rob
On 29-sep-2005, at 12:45, Leonardo Francalanci wrote:> From what I read (but I could be wrong) sessions in Rails won''t > work unless users have cookies enabled. Java overcomes this problem > putting the session ID at the end of the links you use as a > parameters to all the requests, and using that parameter instead of > the cookie. Looks like this shouldn''t be a big issue using the > to_url method. Has anyone ever thinked about it? Has it already > been done? >I think you can easily rewrite url_for method to add a session ID if the user has no cookie set. def url_for(*opts) if #cookie not present opts[0][:session_id] = "bla" end super(*opts) end something like that. But I agree Rails has to take care of it automatically. -- Julian "Julik" Tarkhanov
I have that. This is my code:
application.rb
=======class ApplicationController < ActionController::Base
before_filter :accepts_cookies_test
def accepts_cookies_test
cookies[:accepts_cookies] = ''true''
end
end
environment.rb
========class ActionController::Base
def default_url_options(options)
{ ''_session_id'' => session.session_id } unless cookies
[:accepts_cookies]
end
end
pure GET requests are not the problem. Problem''s arise when I want to
propagate the session_id using a form to the next page. And those
problems are bugs that prevent me from doing that.
cheers,
Rob> I think you can easily rewrite url_for method to add a session ID
> if the user has no cookie set.
Don''t forget also about view caching. If you add session_id to the list of url params then view caching could not possible anymore. At least if there is present links. On 10/17/05, Robert <mannl-KK0ffGbhmjU@public.gmane.org> wrote:> > I have that. This is my code: > > application.rb > =======> class ApplicationController < ActionController::Base > before_filter :accepts_cookies_test > def accepts_cookies_test > cookies[:accepts_cookies] = ''true'' > end > end > > environment.rb > ========> class ActionController::Base > def default_url_options(options) > { ''_session_id'' => session.session_id } unless cookies > [:accepts_cookies] > end > end > > > pure GET requests are not the problem. Problem''s arise when I want to > propagate the session_id using a form to the next page. And those > problems are bugs that prevent me from doing that. > > > cheers, > Rob > > I think you can easily rewrite url_for method to add a session ID > > if the user has no cookie set. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- anatol _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Thanks for pointing that out.> Don''t forget also about view caching. If you add session_id to the > list of url params then view caching could not possible anymore. At > least if there is present links.I''m also gonna look into the Rails Framework code today to see if I can find that bug. Does Rails use cgi.rb from the Standard Library? If so, then maybe the bug''s in there, and not in Rails. Rob