[ANN] Rails 2.0: Release Candidate 2

Grab it while it’s hot:

I’m using a Java applet (dndplus) to upload images. In order to do
this, it is necessary to pass the session id along with the parameters
to maintain session data. This has worked just fine up to now;
however, in Rails 2.0 RC2, any upload attempt results in a
SessionFixationAttempt exception, since RC2 now only allows the
“session_id” parameter to be passed from cookies.

Is there a way to turn off this new behaviour, short of monkey-
patching the session method itself?

Automatic session fixation protection is great, but sometimes it is
quite legitimate to pass in a session id in this way.

/ Peter

Running…

rake rails:freeze:edge TAG=rel_2-0-0_RC2

terminates part way through with…

svn: URL
http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice
doesn’t exist

and doesn’t pull down activeresource. Just running it a second time
succeeds. Deleting the vendor/rails directory and trying again
reproduces the problem.


http://www.5valleys.com/
http://www.workingwithrails.com/person/8078

I think an excellent place to post it is with the announcement. If
you’re announcing a new version (of anything, not just Rails), and you
know people are probably going to have a problem upgrading, but the
current workaround to the problem is an absurdly easy two keystrokes (up
arrow, enter key), then just mention it with the announcement. Don’t
make everyone waste valuable time hunting for the simple solution to a
problem you knew they were going to have.

William P. wrote:

terminates part way through with…


http://www.5valleys.com/
http://www.workingwithrails.com/person/8078

You should search this list as this is posted frequently.

-Bill

Jon G. wrote:

and doesn’t pull down activeresource. Just running it a second time
succeeds. Deleting the vendor/rails directory and trying again
reproduces the problem.


Sincerely,

William P.

Sounds reasonable to me. Maybe suggest it to them on the rails-core
list?

Jon G. wrote:

svn: URL


http://www.5valleys.com/
http://www.workingwithrails.com/person/8078


Sincerely,

William P.

Nobody who has any input on this? As we have a RC for 2.0, this seems
to be the right place to ask this question. As it is now, I have hade
to monkey-patch away the session fixation check in
ActionController::CgiRequest::session. There no longer seems to be any
way to legitimately pass in a session id, since Edge and RC2 disallow
it except from cookies.

/ Peter B.

29 nov 2007 kl. 11.10 skrev Peter B.:

On 30 Nov 2007, at 08:43, Peter B. wrote:

Nobody who has any input on this? As we have a RC for 2.0, this seems
to be the right place to ask this question. As it is now, I have hade
to monkey-patch away the session fixation check in
ActionController::CgiRequest::session. There no longer seems to be any
way to legitimately pass in a session id, since Edge and RC2 disallow
it except from cookies.

You need ActionController::Base.session_options[:cookie_only] = false

Fred

Many thanks!

/ Peter

30 nov 2007 kl. 09.52 skrev Frederick C.: