Hello ,
i am working on project which need cookie enable when i disable cookie
from browser (IE 7 / IE 8)i am not able to login/signup because all
depends on
Session/cookies. So how can i make this work for Session without cookies
in rails.
Is there any way ?
You will have to use a database session store. The default with rails
is a cookie based session store which is stored in the browser. Action Controller Overview — Ruby on Rails Guides
chapter 4 - sessions
Thanks , Peter
But i am getting following error , am i doing wrong ?
C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:478:in const_missing': uninitialized constant CGI::Session::MemCacheStore (NameError) from C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:inconst_get’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in session_store=' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:insend’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in initialize_framework_settings' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:ineach’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in initialize_framework_settings' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:ineach’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in initialize_framework_settings' ... 30 levels... from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39 from C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require’
from
C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require’
from script/server:3
You will have to use a database session store. The default with rails
is a cookie based session store which is stored in the browser. Action Controller Overview — Ruby on Rails Guides
chapter 4 - sessions
However, cookieless sessions (where the session id is passed on
through parameters is generally a bad idea and poses a very big
security risk (users can post a url with the session part included).
You are using Rails 2.0.2, which might not have had the MemCacheStore
implemented yet. That’s exactly what the error message says. Just use
ActiveRecordStore instead (make sure you generate your sessions
migration with “rake db:sessions:create”):
Also, beware if you upgrade to Rails 2.3, the session management has
changed significantly, per the release notes:
CGI::Session::CookieStore has been replaced
byActionController::Session::CookieStore.
CGI::Session::MemCacheStore has been replaced
byActionController::Session::MemCacheStore.
CGI::Session::ActiveRecordStore has been replaced
byActiveRecord::SessionStore.
You’ll need to patch the plugin probably if you want to use it with
Rails 2.3.
It does seem that you are missing some basic but fundamental insight
in the framework you’re using, might be a good idea to start reading
some books, watch some screencasts and read up on some blogs and even
plugin code to get yourself familiar with what’s going on. It’s
generally just a good idea to not blindly use a plugin, but look into
the API and code itself to at least grasp what’s going on in this
rapidly evolving Rails world. Don’t count on others to fix issues for
you, because they might have moved on since then and not maintain the
plugin anymore when a new version is released that breaks it.
sensitive –
financial, health, personal privacy – involved in your app, then you
should be using SSL anyway, which negates the above concern.
You are missing the point here. Let’s say you have average Joe using
your site and logging in to get to personal information. He wants to
link a public part of the site on Facebook and copies the url and
pastes it in Facebook: https://mysite.com/some-public-part/article-1?_session_id=4da564c784511cdf
Whether you are using SSL or not, anyone that clicks the url before
the session expires, will be logged in as average Joe, unless you
somehow bind sessions to IPs or whatever. Even then certain privacy
issues would come into play if someone on the same network would click
the url.
Using cookies is a way of protecting users against themselves.
On Fri, Oct 2, 2009 at 1:02 AM, Peter De Berdt [email protected] wrote:
However, cookieless sessions (where the session id is passed on through
parameters is
one view: “generally a bad idea and poses a very big security risk
(users can post a url with the session part included).”
another view: an accepted practice on other platforms aware that
mandating the use of cookies for full functionality may be culturally
inappropriate or outright illegal. And if there’s anything sensitive
financial, health, personal privacy – involved in your app, then you
should be using SSL anyway, which negates the above concern.
i have solved issue with cookieless_sessions gem.But at security level
is that proper ?
Personally, I wouldn’t use cookieless sessions unless you have a very
good reason to believe a lot of your users won’t have cookies enabled.
Sessions should never store private data, simple.
Using the cookiestore has a couple of advantages that make it my
preferred way of managing sessions:
URLs don’t carry any session related data, so your user can’t
accidentally post it on a public site
Using the ActiveRecord store will hit the database for sessions on
every request and you have to find a way to clean them on a regular
basis
Using the MemCache store uses memory and depending on what you
deploy it on (memory constrained VPS), you’ll have to make sacrifices:
use more memory or have sessions expire really quickly
Using the CookieStore just moves the session data to the client side
and passes it on with every request
I know people coming from the PHP world, where it used to be very
common to include session data in the url or post parameters, have the
tendency to want to stick to that way of handling things. However,
these days disabling cookies is so uncommon (they’re nothing more than
a little text file and all browsers have it enabled by default) that I
see no reason not to use them. We’ve been using them for so long,
they’ve not caused any problems when used properly (i.e. store only
very small amount of data, such as the user id) and they take away any
reason to take any additional resources on the server just for the
sake of session management. But that’s just how I feel, some people
may disagree.
Best regards
Peter De Berdt
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.