Rails - Mar 2009 - Setting Session Options in Rails 2.3

I''m trying to figure out how I should set my session options for Rails
2.3.  In Rails 2.2:

  session :cookie_only => false, :only => :swf_upload

In Rails 2.3, it looks like I need to use:

  request.session_options[''cookie_only''] = false

But how do I tell it that I only want that option on a specific method
in the controller (the :only option)?

Thanks!
Tom

p.s.  The old way works, but the deprecation warnings are driving me
nuts when I run my tests.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I am having exactly the same problem. However, for me, old:

class ImagesController < ApplicationController
  session :cookie_only => false
end

does *not* work anymore. TomRossi7, can you double check does it work
for you, please?

The only way I worked this around, is to get sessions directly from
SessionStore, which is extremely bad. Also I can''t find tests
regarding cookie_only option in 2.3.



On Mar 23, 1:44 am, TomRossi7
<t...-5bxIUPmzHicFraO2wh7vUA@public.gmane.org>
wrote:
> I''m trying to figure out how I should set my session options for
Rails
> 2.3.  In Rails 2.2:
>
>   session :cookie_only => false, :only => :swf_upload
>
> In Rails 2.3, it looks like I need to use:
>
>   request.session_options[''cookie_only''] = false
>
> But how do I tell it that I only want that option on a specific method
> in the controller (the :only option)?
>
> Thanks!
> Tom
>
> p.s.  The old way works, but the deprecation warnings are driving me
> nuts when I run my tests.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Have you tried using the following in your controller?

  session_options[''cookie_only''] = false

I think that will work, I just don''t know how to specify which methods
I want to apply the option.

On Mar 23, 6:04 am, hawkerb
<h_a_...-IjDXvh/HVVUAvxtiuMwx3w@public.gmane.org>
wrote:
> I am having exactly the same problem. However, for me, old:
>
> class ImagesController < ApplicationController
>   session :cookie_only => false
> end
>
> does *not* work anymore. TomRossi7, can you double check does it work
> for you, please?
>
> The only way I worked this around, is to get sessions directly from
> SessionStore, which is extremely bad. Also I can''t find tests
> regarding cookie_only option in 2.3.
>
> On Mar 23, 1:44 am, TomRossi7
<t...-5bxIUPmzHicFraO2wh7vUA@public.gmane.org> wrote:
>
> > I''m trying to figure out how I should set my session options
for Rails
> > 2.3.  In Rails 2.2:
>
> >   session :cookie_only => false, :only => :swf_upload
>
> > In Rails 2.3, it looks like I need to use:
>
> >   request.session_options[''cookie_only''] = false
>
> > But how do I tell it that I only want that option on a specific method
> > in the controller (the :only option)?
>
> > Thanks!
> > Tom
>
> > p.s.  The old way works, but the deprecation warnings are driving me
> > nuts when I run my tests.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi all,


Reviving this old thread with a I am developing a site that needs to be 
accessible to mobile phones, and I am having issues with session 
tracking.

While the default "cookie_only" session tracking makes a lot of sense 
(it prevents session fixation attacks), there are these cases when your 
clients do not support cookies (say, many mobile phones, for example) 
and you just need to do request-parameter-based session tracking.

One should be able to use the "cookie_only" session option and set it
to
"false" where appropriate, but this is seriously broken in Rails 2.3. 
From my tests so far:

1) Setting a default by adding "config.action_controller.session = 
{:cookie_only => false}" in environment.rb DOES work.

2) Inside your controller (say, a before_filter method), 
"request.session_options[:cookie_only] = false" to false will NOT
work.

Unfortunately, 1) is not an acceptable solution, as it opens the whole 
site to session fixation attacks.


FWIW, I think I have traced down the culprit to the load_session method 
in active_store.rb around line 165:

          sid = request.cookies[@key]
          unless @cookie_only
            sid ||= request.params[@key]
          end

This code becomes a problem in 2.3, because the session has been pushed 
down to the Rack middleware layer, where your abstract_store gets 
initialized once and for all, way before any of your controller code 
gets executed. As a result, your abstract_store''s @cookie_only and @key
are set once and for all, according to the default session options. Any 
further changes to the session_options[:cookie_only] or 
session_options[:key] will simply be ignored.

Here is a tentative monkey patch that restores the proper functionality 
of session_options[:cookie_only] and session_options[:key].

HTH.


#######################################################################
# Monkey patch to allow per-controller/action setting of :cookie_only
# and :key session options
#######################################################################

module ActionController
  module Session
    class AbstractStore

      private
      def load_session(env)
        request = Rack::Request.new(env)
        key = request.session_options[:key]
        cookie_only = request.session_options[:cookie_only]
        sid = request.cookies[key]
        unless cookie_only
          sid ||= request.params[key]
        end
        sid, session = get_session(env, sid)
        [sid, session]
      end

    end
  end
end
-- 
Posted via http://www.ruby-forum.com/.

hello Martin, Please forgive my terrible english.

I tried your mokye patch,
but it didn''t work well.

I tried like next,

------
class Mobile::BaseController < ApplicationController
  before_filter :cookie_only_off

  protected

  def cookie_only_off
RAILS_DEFAULT_LOGGER.info "call set optiion"  # LOGGING
    request.session_options[:cookie_only] = false
  end
end

module ActionController
  module Session
    class AbstractStore
      private
      def load_session(env)
RAILS_DEFAULT_LOGGER.info "call load_session"   # LOGGING
        request = Rack::Request.new(env)
        key = request.session_options[:key]
        cookie_only = request.session_options[:cookie_only]
        sid = request.cookies[key]
        unless cookie_only
          sid ||= request.params[key]
        end
        sid, session = get_session(env, sid)
        [sid, session]
      end
    end
  end
end

------

I watched my log,
Logger said "call load_session", "call set optiion".

I think the load_session method called first,
so I cannot set "cookie_only option".

Can I get another way of setting "cookie_only option" ?

Thank you for reading my terrible english.

--
densya

スクルト神守 wrote:
> hello Martin, Please forgive my terrible english.
> 
> I tried your mokye patch,
> but it didn''t work well.
Yes, I just found out myself the patch is only a partial solution: it 
worked on my simple prototype, but once integrated into my production 
system, it stopped working. Like you, I found that "load session" was 
happening before "set option".

The problem is that the session is automatically loaded as soon as 
something tries to use it. So if some plugin uses the session before 
your controller gets control, then the session will be loaded before 
your  before_filter can set the options correctly.

What you can do to find the culprit: use the ruby debugger and add a 
"debugger" statement inside the load_session monkey patch function,
then
run your server with "script/server --debugger". When you try to
access
you site, your console will drop into the debugger, and you can issue a 
"where" command, that will give you a stack trace, so you can find out
what triggered the call to load_session.

In my case, it was the render_component plugin.

Unfortunately, I do need the render_component plugin (for my admin pages 
that use ActiveScaffold)...


So, the problem is still open... Can anyone help? Should I fill a bug 
report?

--
Yves-Eric Martin
-- 
Posted via http://www.ruby-forum.com/.

hello Martin, thank you for your answer!!

Unfortunately, the problem still be here, but,
thank you for telling me the debugging way!
it is very useful!!  ^^)

--
densya
--