Hello , i am working on project which need cookie enable when i disable cookie from browser (IE 7 / IE 8)i am not able to login/signup because all depends on Session/cookies. So how can i make this work for Session without cookies in rails. Is there any way ? Thanks. -- Posted via http://www.ruby-forum.com/.
You will have to use a database session store. The default with rails is a cookie based session store which is stored in the browser. http://guides.rubyonrails.org/action_controller_overview.html chapter 4 - sessions
heimdull wrote:> You will have to use a database session store. The default with rails > is a cookie based session store which is stored in the browser. > http://guides.rubyonrails.org/action_controller_overview.html > chapter 4 - sessionsThanks , i am going to look this -- Posted via http://www.ruby-forum.com/.
On 02 Oct 2009, at 09:49, heimdull wrote:> You will have to use a database session store. The default with rails > is a cookie based session store which is stored in the browser. > http://guides.rubyonrails.org/action_controller_overview.html > chapter 4 - sessionsThat won''t help, since the session id is still managed through cookies. You might check out http://github.com/tatyree/cookieless_sessions/ However, cookieless sessions (where the session id is passed on through parameters is generally a bad idea and poses a very big security risk (users can post a url with the session part included). Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks , Peter
But i am getting following error , am i doing wrong ?
C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:478:in
`const_missing'': uninitialized constant CGI::Session::MemCacheStore
(NameError)
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in
`const_get''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in
`session_store=''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in
`send''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in
`initialize_framework_settings''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in
`each''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in
`initialize_framework_settings''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in
`each''
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in
`initialize_framework_settings''
... 30 levels...
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39
from
C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`gem_original_require''
from
C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require''
from script/server:3
--
Posted via http://www.ruby-forum.com/.
On 02 Oct 2009, at 11:45, Ruby on Rails wrote:> Thanks , Peter > But i am getting following error , am i doing wrong ? > > C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/ > active_support/dependencies.rb:478:in > `const_missing'': uninitialized constant CGI::Session::MemCacheStoreYou are using Rails 2.0.2, which might not have had the MemCacheStore implemented yet. That''s exactly what the error message says. Just use ActiveRecordStore instead (make sure you generate your sessions migration with "rake db:sessions:create"): config.action_controller.session_store = :active_record_store Also, beware if you upgrade to Rails 2.3, the session management has changed significantly, per the release notes: CGI::Session::CookieStore has been replaced byActionController::Session::CookieStore. CGI::Session::MemCacheStore has been replaced byActionController::Session::MemCacheStore. CGI::Session::ActiveRecordStore has been replaced byActiveRecord::SessionStore. You''ll need to patch the plugin probably if you want to use it with Rails 2.3. It does seem that you are missing some basic but fundamental insight in the framework you''re using, might be a good idea to start reading some books, watch some screencasts and read up on some blogs and even plugin code to get yourself familiar with what''s going on. It''s generally just a good idea to not blindly use a plugin, but look into the API and code itself to at least grasp what''s going on in this rapidly evolving Rails world. Don''t count on others to fix issues for you, because they might have moved on since then and not maintain the plugin anymore when a new version is released that breaks it. Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks for your guidance. I will keep in mind your suggestion -- Posted via http://www.ruby-forum.com/.
On Fri, Oct 2, 2009 at 1:02 AM, Peter De Berdt <peter.de.berdt-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org> wrote:> However, cookieless sessions (where the session id is passed on through > parameters isone view: "generally a bad idea and poses a very big security risk (users can post a url with the session part included)." another view: an accepted practice on other platforms aware that mandating the use of cookies for full functionality may be culturally inappropriate or outright illegal. And if there''s anything sensitive -- financial, health, personal privacy -- involved in your app, then you should be using SSL anyway, which negates the above concern. :-) FWIW, -- Hassan Schroeder ------------------------ hassan.schroeder-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org twitter: @hassan
On 03 Oct 2009, at 05:25, Hassan Schroeder wrote:>> However, cookieless sessions (where the session id is passed on >> through >> parameters is > > one view: "generally a bad idea and poses a very big security risk > (users can post a url with the session part included)." > > another view: an accepted practice on other platforms aware that > mandating the use of cookies for full functionality may be culturally > inappropriate or outright illegal. And if there''s anything > sensitive -- > financial, health, personal privacy -- involved in your app, then you > should be using SSL anyway, which negates the above concern. :-)You are missing the point here. Let''s say you have average Joe using your site and logging in to get to personal information. He wants to link a public part of the site on Facebook and copies the url and pastes it in Facebook: https://mysite.com/some-public-part/article-1?_session_id=4da564c784511cdf Whether you are using SSL or not, anyone that clicks the url before the session expires, will be logged in as average Joe, unless you somehow bind sessions to IPs or whatever. Even then certain privacy issues would come into play if someone on the same network would click the url. Using cookies is a way of protecting users against themselves. Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hello Peter, i have solved issue with cookieless_sessions gem.But at security level is that proper ? Thanks. -- Posted via http://www.ruby-forum.com/.
On 03 Oct 2009, at 14:45, Ruby on Rails wrote:> i have solved issue with cookieless_sessions gem.But at security level > is that proper ?Personally, I wouldn''t use cookieless sessions unless you have a very good reason to believe a lot of your users won''t have cookies enabled. Sessions should never store private data, simple. Using the cookiestore has a couple of advantages that make it my preferred way of managing sessions: - URLs don''t carry any session related data, so your user can''t accidentally post it on a public site - Using the ActiveRecord store will hit the database for sessions on every request and you have to find a way to clean them on a regular basis - Using the MemCache store uses memory and depending on what you deploy it on (memory constrained VPS), you''ll have to make sacrifices: use more memory or have sessions expire really quickly - Using the CookieStore just moves the session data to the client side and passes it on with every request I know people coming from the PHP world, where it used to be very common to include session data in the url or post parameters, have the tendency to want to stick to that way of handling things. However, these days disabling cookies is so uncommon (they''re nothing more than a little text file and all browsers have it enabled by default) that I see no reason not to use them. We''ve been using them for so long, they''ve not caused any problems when used properly (i.e. store only very small amount of data, such as the user id) and they take away any reason to take any additional resources on the server just for the sake of session management. But that''s just how I feel, some people may disagree. Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---