Problem with cookie in IE

Hello ,
i am working on project which need cookie enable when i disable cookie
from browser (IE 7 / IE 8)i am not able to login/signup because all
depends on
Session/cookies. So how can i make this work for Session without cookies
in rails.
Is there any way ?

Thanks.

You will have to use a database session store. The default with rails
is a cookie based session store which is stored in the browser.

chapter 4 - sessions

heimdull wrote:

You will have to use a database session store. The default with rails
is a cookie based session store which is stored in the browser.
Action Controller Overview — Ruby on Rails Guides
chapter 4 - sessions

Thanks ,
i am going to look this

Thanks , Peter
But i am getting following error , am i doing wrong ?

C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:478:in
const_missing': uninitialized constant CGI::Session::MemCacheStore (NameError) from C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:inconst_get’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in
session_store=' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:insend’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in
initialize_framework_settings' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:ineach’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in
initialize_framework_settings' from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:ineach’
from
C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in
initialize_framework_settings' ... 30 levels... from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39 from C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:ingem_original_require’
from
C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in
`require’
from script/server:3

On 02 Oct 2009, at 09:49, heimdull wrote:

You will have to use a database session store. The default with rails
is a cookie based session store which is stored in the browser.
Action Controller Overview — Ruby on Rails Guides
chapter 4 - sessions

That won’t help, since the session id is still managed through
cookies. You might check out
http://github.com/tatyree/cookieless_sessions/

However, cookieless sessions (where the session id is passed on
through parameters is generally a bad idea and poses a very big
security risk (users can post a url with the session part included).

Best regards

Peter De Berdt

On 02 Oct 2009, at 11:45, Ruby on Rails wrote:

Thanks , Peter
But i am getting following error , am i doing wrong ?

C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/
active_support/dependencies.rb:478:in
`const_missing’: uninitialized constant CGI::Session::MemCacheStore

You are using Rails 2.0.2, which might not have had the MemCacheStore
implemented yet. That’s exactly what the error message says. Just use
ActiveRecordStore instead (make sure you generate your sessions
migration with “rake db:sessions:create”):

config.action_controller.session_store = :active_record_store

Also, beware if you upgrade to Rails 2.3, the session management has
changed significantly, per the release notes:

CGI::Session::CookieStore has been replaced
byActionController::Session::CookieStore.
CGI::Session::MemCacheStore has been replaced
byActionController::Session::MemCacheStore.
CGI::Session::ActiveRecordStore has been replaced
byActiveRecord::SessionStore.
You’ll need to patch the plugin probably if you want to use it with
Rails 2.3.

It does seem that you are missing some basic but fundamental insight
in the framework you’re using, might be a good idea to start reading
some books, watch some screencasts and read up on some blogs and even
plugin code to get yourself familiar with what’s going on. It’s
generally just a good idea to not blindly use a plugin, but look into
the API and code itself to at least grasp what’s going on in this
rapidly evolving Rails world. Don’t count on others to fix issues for
you, because they might have moved on since then and not maintain the
plugin anymore when a new version is released that breaks it.

Best regards

Peter De Berdt

Thanks for your guidance. I will keep in mind your suggestion

On 03 Oct 2009, at 05:25, Hassan S. wrote:

sensitive –
financial, health, personal privacy – involved in your app, then you
should be using SSL anyway, which negates the above concern. :slight_smile:

You are missing the point here. Let’s say you have average Joe using
your site and logging in to get to personal information. He wants to
link a public part of the site on Facebook and copies the url and
pastes it in Facebook:
https://mysite.com/some-public-part/article-1?_session_id=4da564c784511cdf

Whether you are using SSL or not, anyone that clicks the url before
the session expires, will be logged in as average Joe, unless you
somehow bind sessions to IPs or whatever. Even then certain privacy
issues would come into play if someone on the same network would click
the url.

Using cookies is a way of protecting users against themselves.

Best regards

Peter De Berdt

Hello Peter,

i have solved issue with cookieless_sessions gem.But at security level
is that proper ?

Thanks.

On Fri, Oct 2, 2009 at 1:02 AM, Peter De Berdt
[email protected] wrote:

However, cookieless sessions (where the session id is passed on through
parameters is

one view: “generally a bad idea and poses a very big security risk
(users can post a url with the session part included).”

another view: an accepted practice on other platforms aware that
mandating the use of cookies for full functionality may be culturally
inappropriate or outright illegal. And if there’s anything sensitive

financial, health, personal privacy – involved in your app, then you
should be using SSL anyway, which negates the above concern. :slight_smile:

FWIW,

Hassan S. ------------------------ [email protected]
twitter: @hassan

On 03 Oct 2009, at 14:45, Ruby on Rails wrote:

i have solved issue with cookieless_sessions gem.But at security level
is that proper ?

Personally, I wouldn’t use cookieless sessions unless you have a very
good reason to believe a lot of your users won’t have cookies enabled.
Sessions should never store private data, simple.

Using the cookiestore has a couple of advantages that make it my
preferred way of managing sessions:

  • URLs don’t carry any session related data, so your user can’t
    accidentally post it on a public site
  • Using the ActiveRecord store will hit the database for sessions on
    every request and you have to find a way to clean them on a regular
    basis
  • Using the MemCache store uses memory and depending on what you
    deploy it on (memory constrained VPS), you’ll have to make sacrifices:
    use more memory or have sessions expire really quickly
  • Using the CookieStore just moves the session data to the client side
    and passes it on with every request

I know people coming from the PHP world, where it used to be very
common to include session data in the url or post parameters, have the
tendency to want to stick to that way of handling things. However,
these days disabling cookies is so uncommon (they’re nothing more than
a little text file and all browsers have it enabled by default) that I
see no reason not to use them. We’ve been using them for so long,
they’ve not caused any problems when used properly (i.e. store only
very small amount of data, such as the user id) and they take away any
reason to take any additional resources on the server just for the
sake of session management. But that’s just how I feel, some people
may disagree.

Best regards

Peter De Berdt