is it true that Rails depend on cookies? It seems that flash is a part of session, and session uses cookies... so when i disable cookie in Firefox, what was working became ActionController::InvalidAuthenticityToken so is it true that for a RoR app to work, cookies are mandatory? -- Posted via http://www.ruby-forum.com/.
Because HTTP is stateless, information that is stored while navigating from page to page, even if it''s just from one page to another, has to be stored somewhere. One solution to this is to use a session database, but even then, the session id is usually stored in a cookie. For things like the flash in a RoR rails app, cookies are the better solution as the flash just relay''s messages related to the state of the application. I believe there is going to be in-browser storage as part of the W3C HTML 5 standard but until then we are stuck with cookies On May 25, 10:45 pm, SpringFlowers AutumnMoon <rails-mailing- l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> is it true that Rails depend on cookies? It seems that flash is a part > of session, and session uses cookies... so when i disable cookie in > Firefox, what was working became > > ActionController::InvalidAuthenticityToken > > so is it true that for a RoR app to work, cookies are mandatory? > -- > Posted viahttp://www.ruby-forum.com/.
SpringFlowers AutumnMoon wrote:> is it true that Rails depend on cookies? It seems that flash is a part > of session, and session uses cookies... so when i disable cookie in > Firefox, what was working became > > ActionController::InvalidAuthenticityToken > > so is it true that for a RoR app to work, cookies are mandatory?Rails itself uses cookies only for its session store. From Rails 2.3 onwards, the session store is initialized lazily: if you don''t use it in a request, then it''s not initialized. Forgery protection indeed relies on the session store, but you can disable it. So theoretically: no, Rails apps don''t require cookies. But what are the practical reasons to be concerned about them? -- Roderick van Domburg http://www.nedforce.com -- Posted via http://www.ruby-forum.com/.
SpringFlowers AutumnMoon wrote:> is it true that Rails depend on cookies? It seems that flash is a part > of session, and session uses cookies... so when i disable cookie in > Firefox, what was working became > > ActionController::InvalidAuthenticityToken > > so is it true that for a RoR app to work, cookies are mandatory?FYI: Cookies are required for practically every web based application on the internet. This is not at all unique to Rails. There are only a limited number of ways to maintain session state. 1. Using cookies (my guess is > 80% of sites use this method), 2. Putting a session id in the URL (ugly, but works). 3. Hidden fields in forms to pass state from one request to another (very ugly, but requires no client-side storage of state). 4. HTML 5 local session storage (not practical since it''ll take Microsoft years to support HTML 5. They can barely do HTML 4). I believe option 4 is the way forward since it provides all the benefits of cookies, and practically none of their shortcomings. Just don''t expect that to be practical anytime soon. Note: Safari 4 public beta has complete support for HTML 5 local storage (maybe others too). Let''s just hope the others eventually catch up. -- Posted via http://www.ruby-forum.com/.
Roderick van Domburg wrote:> So theoretically: no, Rails apps don''t require cookies. But what are the > practical reasons to be concerned about them?because i was trying a Rails app (from the book Simply Rails 2.0)... and at the "Flash" part, (not Adobe Flash), it talks about next action passing of info... and without saying how it works. Another book (Rails Recipe) says that it is part of the Session object, and it uses cookies to do it. So I instantly disabled cookie on Firefox using Web Developer add-on, and then, my Rails site that was working before now gave an error... and didn''t work... that''s the concern... turning off cookie broke my Rails app. -- Posted via http://www.ruby-forum.com/.
SpringFlowers AutumnMoon wrote:> Roderick van Domburg wrote: > >> So theoretically: no, Rails apps don''t require cookies. But what are the >> practical reasons to be concerned about them? > > because i was trying a Rails app (from the book Simply Rails 2.0)... and > at the "Flash" part, (not Adobe Flash), it talks about next action > passing of info... and without saying how it works. Another book (Rails > Recipe) says that it is part of the Session object, and it uses cookies > to do it. > > So I instantly disabled cookie on Firefox using Web Developer add-on, > and then, my Rails site that was working before now gave an error... and > didn''t work... > > that''s the concern... turning off cookie broke my Rails app.Generally speaking, yes it will. Just like it will break almost any web application Rails or otherwise. :) -- Posted via http://www.ruby-forum.com/.
Robert Walker wrote:>> that''s the concern... turning off cookie broke my Rails app. > > Generally speaking, yes it will. Just like it will break almost any web > application Rails or otherwise. :)or to put it this way, if to make the Rails app work even when user turns off cookie, is there a simple and quick way? is it simpler if there is only one server (Apache running Passenger (mod_rails))? -- Posted via http://www.ruby-forum.com/.
Robert Walker wrote:> SpringFlowers AutumnMoon wrote: >> Roderick van Domburg wrote: >> >>> So theoretically: no, Rails apps don''t require cookies. But what are the >>> practical reasons to be concerned about them?[...]>> >> So I instantly disabled cookie on Firefox using Web Developer add-on, >> and then, my Rails site that was working before now gave an error... and >> didn''t work... >> >> that''s the concern... turning off cookie broke my Rails app. > > Generally speaking, yes it will. Just like it will break almost any web > application Rails or otherwise. :)Well, PHP''s session management will automatically fall back to putting session ID in the URL. I believe JSP does this too. Is there no way to get Rails to do likewise? (I''m a lot less concerned about this than SpringFlowers seems to be, but some people really need or want to avoid cookies. Since this problem was solved long since for other Web technologies, I''m a bit surprised that it is not so for Rails.) Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
Robert Walker wrote:> SpringFlowers AutumnMoon wrote: >> is it true that Rails depend on cookies? It seems that flash is a part >> of session, and session uses cookies... so when i disable cookie in >> Firefox, what was working became >> >> ActionController::InvalidAuthenticityToken >> >> so is it true that for a RoR app to work, cookies are mandatory? > > FYI: Cookies are required for practically every web based application on > the internet. This is not at all unique to Rails. There are only a > limited number of ways to maintain session state. 1. Using cookies (my > guess is > 80% of sites use this method), 2. Putting a session id in the > URL (ugly, but works). 3. Hidden fields in forms to pass state from one > request to another (very ugly, but requires no client-side storage of > state). 4. HTML 5 local session storage (not practical since it''ll take > Microsoft years to support HTML 5. They can barely do HTML 4). > > I believe option 4 is the way forward since it provides all the benefits > of cookies, and practically none of their shortcomings. Just don''t > expect that to be practical anytime soon. Note: Safari 4 public beta has > complete support for HTML 5 local storage (maybe others too). Let''s just > hope the others eventually catch up.I assume that users will have the option to disable HTML 5 browser-local storage. I also assume that people who turn off cookies will most likely disable local storage. In that event, I''m not sure how this solves the problem, and we''re at square one again. Just a thought. Cheers, Darrik -- Darrik Mazey DarmaSoft, LLC. 1627 Marigold Avenue Akron, Ohio 44301-2627 office: 330.983.9941 fax: 330.983.9942 mobile: 330.808.2025 darrik-Gf2+yCQnhs/by3iVrkZq2A@public.gmane.org To obtain my public key, send an email to darrik-3ZOItiUs85MiPIIhehe3Qcs1TgCmPrKF@public.gmane.org
Darrik Mazey wrote: [...]> I assume that users will have the option to disable HTML 5 browser-local > storage. I also assume that people who turn off cookies will most > likely disable local storage.That is an excellent point. Best, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.