Grab it while it''s hot: http://weblog.rubyonrails.org/2007/11/29/rails-2-0-release-candidate-2 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I''m using a Java applet (dndplus) to upload images. In order to do this, it is necessary to pass the session id along with the parameters to maintain session data. This has worked just fine up to now; however, in Rails 2.0 RC2, any upload attempt results in a SessionFixationAttempt exception, since RC2 now only allows the "session_id" parameter to be passed from cookies. Is there a way to turn off this new behaviour, short of monkey- patching the session method itself? Automatic session fixation protection is great, but sometimes it is quite legitimate to pass in a session id in this way. / Peter --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Running... rake rails:freeze:edge TAG=rel_2-0-0_RC2 terminates part way through with... svn: URL ''http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice'' doesn''t exist and doesn''t pull down activeresource. Just running it a second time succeeds. Deleting the vendor/rails directory and trying again reproduces the problem. -- http://www.5valleys.com/ http://www.workingwithrails.com/person/8078 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You should search this list as this is posted frequently. -Bill Jon Garvin wrote:> Running... > > rake rails:freeze:edge TAG=rel_2-0-0_RC2 > > terminates part way through with... > > svn: URL > ''http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice'' > doesn''t exist > > and doesn''t pull down activeresource. Just running it a second time > succeeds. Deleting the vendor/rails directory and trying again > reproduces the problem. > >-- Sincerely, William Pratt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I think an excellent place to post it is *with the announcement*. If you''re announcing a new version (of anything, not just Rails), and you know people are probably going to have a problem upgrading, but the current workaround to the problem is an absurdly easy two keystrokes (up arrow, enter key), then just mention it with the announcement. Don''t make everyone waste valuable time hunting for the simple solution to a problem you knew they were going to have. William Pratt wrote:> You should search this list as this is posted frequently. > > -Bill > > Jon Garvin wrote: > >> Running... >> >> rake rails:freeze:edge TAG=rel_2-0-0_RC2 >> >> terminates part way through with... >> >> svn: URL >> ''http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice'' >> doesn''t exist >> >> and doesn''t pull down activeresource. Just running it a second time >> succeeds. Deleting the vendor/rails directory and trying again >> reproduces the problem. >> >> >> > >-- http://www.5valleys.com/ http://www.workingwithrails.com/person/8078 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Sounds reasonable to me. Maybe suggest it to them on the rails-core list? Jon Garvin wrote:> I think an excellent place to post it is *with the announcement*. If > you''re announcing a new version (of anything, not just Rails), and you > know people are probably going to have a problem upgrading, but the > current workaround to the problem is an absurdly easy two keystrokes > (up arrow, enter key), then just mention it with the announcement. > Don''t make everyone waste valuable time hunting for the simple > solution to a problem you knew they were going to have. > > William Pratt wrote: >> You should search this list as this is posted frequently. >> >> -Bill >> >> Jon Garvin wrote: >> >>> Running... >>> >>> rake rails:freeze:edge TAG=rel_2-0-0_RC2 >>> >>> terminates part way through with... >>> >>> svn: URL >>> ''http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice'' >>> doesn''t exist >>> >>> and doesn''t pull down activeresource. Just running it a second time >>> succeeds. Deleting the vendor/rails directory and trying again >>> reproduces the problem. >>> >>> >>> >> >> > > > -- > http://www.5valleys.com/ > http://www.workingwithrails.com/person/8078 > > > >-- Sincerely, William Pratt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Peter Bengtson
2007-Nov-30 08:43 UTC
Re: Session Fixation overprotection problem in Rails 2.0 RC2
Nobody who has any input on this? As we have a RC for 2.0, this seems to be the right place to ask this question. As it is now, I have hade to monkey-patch away the session fixation check in ActionController::CgiRequest::session. There no longer seems to be any way to legitimately pass in a session id, since Edge and RC2 disallow it except from cookies. / Peter Bengtson 29 nov 2007 kl. 11.10 skrev Peter Bengtson:> I''m using a Java applet (dndplus) to upload images. In order to do > this, it is necessary to pass the session id along with the parameters > to maintain session data. This has worked just fine up to now; > however, in Rails 2.0 RC2, any upload attempt results in a > SessionFixationAttempt exception, since RC2 now only allows the > "session_id" parameter to be passed from cookies. > > Is there a way to turn off this new behaviour, short of monkey- > patching the session method itself? > > Automatic session fixation protection is great, but sometimes it is > quite legitimate to pass in a session id in this way.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2007-Nov-30 08:52 UTC
Re: Session Fixation overprotection problem in Rails 2.0 RC2
On 30 Nov 2007, at 08:43, Peter Bengtson wrote:> > Nobody who has any input on this? As we have a RC for 2.0, this seems > to be the right place to ask this question. As it is now, I have hade > to monkey-patch away the session fixation check in > ActionController::CgiRequest::session. There no longer seems to be any > way to legitimately pass in a session id, since Edge and RC2 disallow > it except from cookies. >You need ActionController::Base.session_options[:cookie_only] = false Fred> / Peter Bengtson > > > 29 nov 2007 kl. 11.10 skrev Peter Bengtson: > >> I''m using a Java applet (dndplus) to upload images. In order to do >> this, it is necessary to pass the session id along with the >> parameters >> to maintain session data. This has worked just fine up to now; >> however, in Rails 2.0 RC2, any upload attempt results in a >> SessionFixationAttempt exception, since RC2 now only allows the >> "session_id" parameter to be passed from cookies. >> >> Is there a way to turn off this new behaviour, short of monkey- >> patching the session method itself? >> >> Automatic session fixation protection is great, but sometimes it is >> quite legitimate to pass in a session id in this way. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Peter Bengtson
2007-Nov-30 08:59 UTC
Re: Session Fixation overprotection problem in Rails 2.0 RC2
Many thanks! / Peter 30 nov 2007 kl. 09.52 skrev Frederick Cheung:> > > On 30 Nov 2007, at 08:43, Peter Bengtson wrote: > >> >> Nobody who has any input on this? As we have a RC for 2.0, this seems >> to be the right place to ask this question. As it is now, I have hade >> to monkey-patch away the session fixation check in >> ActionController::CgiRequest::session. There no longer seems to be >> any >> way to legitimately pass in a session id, since Edge and RC2 disallow >> it except from cookies. >> > > You need ActionController::Base.session_options[:cookie_only] = false > > Fred >> / Peter Bengtson >> >> >> 29 nov 2007 kl. 11.10 skrev Peter Bengtson: >> >>> I''m using a Java applet (dndplus) to upload images. In order to do >>> this, it is necessary to pass the session id along with the >>> parameters >>> to maintain session data. This has worked just fine up to now; >>> however, in Rails 2.0 RC2, any upload attempt results in a >>> SessionFixationAttempt exception, since RC2 now only allows the >>> "session_id" parameter to be passed from cookies. >>> >>> Is there a way to turn off this new behaviour, short of monkey- >>> patching the session method itself? >>> >>> Automatic session fixation protection is great, but sometimes it is >>> quite legitimate to pass in a session id in this way. >> >>> > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---