Cookies are mandatory for Rails app?

is it true that Rails depend on cookies? It seems that flash is a part
of session, and session uses cookies… so when i disable cookie in
Firefox, what was working became

ActionController::InvalidAuthenticityToken

so is it true that for a RoR app to work, cookies are mandatory?

Because HTTP is stateless, information that is stored while navigating
from page to page, even if it’s just from one page to another, has to
be stored somewhere. One solution to this is to use a session
database, but even then, the session id is usually stored in a
cookie. For things like the flash in a RoR rails app, cookies are the
better solution as the flash just relay’s messages related to the
state of the application.

I believe there is going to be in-browser storage as part of the W3C
HTML 5 standard but until then we are stuck with cookies

On May 25, 10:45 pm, SpringFlowers AutumnMoon <rails-mailing-

SpringFlowers AutumnMoon wrote:

is it true that Rails depend on cookies? It seems that flash is a part
of session, and session uses cookies… so when i disable cookie in
Firefox, what was working became

ActionController::InvalidAuthenticityToken

so is it true that for a RoR app to work, cookies are mandatory?

Rails itself uses cookies only for its session store. From Rails 2.3
onwards, the session store is initialized lazily: if you don’t use it in
a request, then it’s not initialized. Forgery protection indeed relies
on the session store, but you can disable it.

So theoretically: no, Rails apps don’t require cookies. But what are the
practical reasons to be concerned about them?


Roderick van Domburg
http://www.nedforce.com

SpringFlowers AutumnMoon wrote:

is it true that Rails depend on cookies? It seems that flash is a part
of session, and session uses cookies… so when i disable cookie in
Firefox, what was working became

ActionController::InvalidAuthenticityToken

so is it true that for a RoR app to work, cookies are mandatory?

FYI: Cookies are required for practically every web based application on
the internet. This is not at all unique to Rails. There are only a
limited number of ways to maintain session state. 1. Using cookies (my
guess is > 80% of sites use this method), 2. Putting a session id in the
URL (ugly, but works). 3. Hidden fields in forms to pass state from one
request to another (very ugly, but requires no client-side storage of
state). 4. HTML 5 local session storage (not practical since it’ll take
Microsoft years to support HTML 5. They can barely do HTML 4).

I believe option 4 is the way forward since it provides all the benefits
of cookies, and practically none of their shortcomings. Just don’t
expect that to be practical anytime soon. Note: Safari 4 public beta has
complete support for HTML 5 local storage (maybe others too). Let’s just
hope the others eventually catch up.

Roderick van Domburg wrote:

So theoretically: no, Rails apps don’t require cookies. But what are the
practical reasons to be concerned about them?

because i was trying a Rails app (from the book Simply Rails 2.0)… and
at the “Flash” part, (not Adobe Flash), it talks about next action
passing of info… and without saying how it works. Another book (Rails
Recipe) says that it is part of the Session object, and it uses cookies
to do it.

So I instantly disabled cookie on Firefox using Web D. add-on,
and then, my Rails site that was working before now gave an error… and
didn’t work…

that’s the concern… turning off cookie broke my Rails app.

Robert W. wrote:

that’s the concern… turning off cookie broke my Rails app.

Generally speaking, yes it will. Just like it will break almost any web
application Rails or otherwise. :slight_smile:

or to put it this way, if to make the Rails app work even when user
turns off cookie, is there a simple and quick way?

is it simpler if there is only one server (Apache running Passenger
(mod_rails))?

SpringFlowers AutumnMoon wrote:

Roderick van Domburg wrote:

So theoretically: no, Rails apps don’t require cookies. But what are the
practical reasons to be concerned about them?

because i was trying a Rails app (from the book Simply Rails 2.0)… and
at the “Flash” part, (not Adobe Flash), it talks about next action
passing of info… and without saying how it works. Another book (Rails
Recipe) says that it is part of the Session object, and it uses cookies
to do it.

So I instantly disabled cookie on Firefox using Web D. add-on,
and then, my Rails site that was working before now gave an error… and
didn’t work…

that’s the concern… turning off cookie broke my Rails app.

Generally speaking, yes it will. Just like it will break almost any web
application Rails or otherwise. :slight_smile:

Robert W. wrote:

SpringFlowers AutumnMoon wrote:

Roderick van Domburg wrote:

So theoretically: no, Rails apps don’t require cookies. But what are the
practical reasons to be concerned about them?
[…]

So I instantly disabled cookie on Firefox using Web D. add-on,
and then, my Rails site that was working before now gave an error… and
didn’t work…

that’s the concern… turning off cookie broke my Rails app.

Generally speaking, yes it will. Just like it will break almost any web
application Rails or otherwise. :slight_smile:

Well, PHP’s session management will automatically fall back to putting
session ID in the URL. I believe JSP does this too. Is there no way to
get Rails to do likewise?

(I’m a lot less concerned about this than SpringFlowers seems to be, but
some people really need or want to avoid cookies. Since this problem
was solved long since for other Web technologies, I’m a bit surprised
that it is not so for Rails.)

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Darrik Mazey wrote:
[…]

I assume that users will have the option to disable HTML 5 browser-local
storage. I also assume that people who turn off cookies will most
likely disable local storage.

That is an excellent point.

Best,

Marnen Laibow-Koser
http://www.marnen.org
[email protected]

Robert W. wrote:

the internet. This is not at all unique to Rails. There are only a
complete support for HTML 5 local storage (maybe others too). Let’s just
hope the others eventually catch up.

I assume that users will have the option to disable HTML 5 browser-local
storage. I also assume that people who turn off cookies will most
likely disable local storage. In that event, I’m not sure how this
solves the problem, and we’re at square one again.

Just a thought.

Cheers,
Darrik


Darrik Mazey
DarmaSoft, LLC.
1627 Marigold Avenue
Akron, Ohio 44301-2627
office: 330.983.9941
fax: 330.983.9942
mobile: 330.808.2025
[email protected]

To obtain my public key, send an email to
[email protected].