i am working on project which need cookie enable when i disable cookie
from browser (IE 7 / IE 8)i am not able to login/signup because all
Session/cookies. So how can i make this work for Session without cookies
Is there any way ?
Thanks , Peter
But i am getting following error , am i doing wrong ?
C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:478:in const_missing': uninitialized constant CGI::Session::MemCacheStore (NameError) from C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:inconst_get’
C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in session_store=' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:insend’
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in initialize_framework_settings' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:ineach’
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in initialize_framework_settings' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:ineach’
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in initialize_framework_settings' ... 30 levels... from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39 from C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require’
You are using Rails 2.0.2, which might not have had the MemCacheStore
implemented yet. That’s exactly what the error message says. Just use
ActiveRecordStore instead (make sure you generate your sessions
migration with “rake db:sessions:create”):
Also, beware if you upgrade to Rails 2.3, the session management has
changed significantly, per the release notes:
CGI::Session::CookieStore has been replaced
CGI::Session::MemCacheStore has been replaced
CGI::Session::ActiveRecordStore has been replaced
You’ll need to patch the plugin probably if you want to use it with
It does seem that you are missing some basic but fundamental insight
in the framework you’re using, might be a good idea to start reading
some books, watch some screencasts and read up on some blogs and even
plugin code to get yourself familiar with what’s going on. It’s
generally just a good idea to not blindly use a plugin, but look into
the API and code itself to at least grasp what’s going on in this
rapidly evolving Rails world. Don’t count on others to fix issues for
you, because they might have moved on since then and not maintain the
plugin anymore when a new version is released that breaks it.
Whether you are using SSL or not, anyone that clicks the url before
the session expires, will be logged in as average Joe, unless you
somehow bind sessions to IPs or whatever. Even then certain privacy
issues would come into play if someone on the same network would click
Using cookies is a way of protecting users against themselves.
However, cookieless sessions (where the session id is passed on through
one view: “generally a bad idea and poses a very big security risk
(users can post a url with the session part included).”
another view: an accepted practice on other platforms aware that
inappropriate or outright illegal. And if there’s anything sensitive
financial, health, personal privacy – involved in your app, then you
should be using SSL anyway, which negates the above concern.
i have solved issue with cookieless_sessions gem.But at security level
is that proper ?
Personally, I wouldn’t use cookieless sessions unless you have a very
good reason to believe a lot of your users won’t have cookies enabled.
Sessions should never store private data, simple.
Using the cookiestore has a couple of advantages that make it my
preferred way of managing sessions:
URLs don’t carry any session related data, so your user can’t
accidentally post it on a public site
Using the ActiveRecord store will hit the database for sessions on
every request and you have to find a way to clean them on a regular
Using the MemCache store uses memory and depending on what you
deploy it on (memory constrained VPS), you’ll have to make sacrifices:
use more memory or have sessions expire really quickly
Using the CookieStore just moves the session data to the client side
and passes it on with every request
I know people coming from the PHP world, where it used to be very
common to include session data in the url or post parameters, have the
tendency to want to stick to that way of handling things. However,
these days disabling cookies is so uncommon (they’re nothing more than
a little text file and all browsers have it enabled by default) that I
see no reason not to use them. We’ve been using them for so long,
they’ve not caused any problems when used properly (i.e. store only
very small amount of data, such as the user id) and they take away any
reason to take any additional resources on the server just for the
sake of session management. But that’s just how I feel, some people
Peter De Berdt
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.