Sessions w/o cookies still broken


Supporting sessions without cookies is still broken in Rails.

One can add the _session_id to each link using something like this:

class ActionController::Base
def default_url_options(options)
{ ‘_session_id’ => session.session_id }

BUT the problem is that doesn’t work when you have an upload form
(because of a bug in Rails/CGI.rb).

See this ticket:

Does anyone know how to fix for this? I really wish I could support
users without cookies in my upcoming commercial application, but it’s
just not possible, because of that bug (and I’ve been trying to find
a solution for this for over two weeks now).

I looked into the code, but I don’t understand it so very well, it’s
confusing for me, so I didn’t manage to fix it myself.

I really think it would be a good idea if Rails had this fixed this
for 1.0. Not every programmer has the freedom to just block users
that accept no cookies. I wish I did, but I must support them.



I guess no one cares about users that have cookies disabled =)

Maybe someone can help me with this one: I tried recreating the
session object myself, like this:

before_filter :recreate_session
def recreate_session
session =, :session_id => params
[:_session_id]) if(params[:_session_id])

That doesn’t seem to work though. It creates a new session instead of
the one with the params[:_session_id]

Does anyone know how I can get that to work? If I at least can get
this hack to work, then I finally can use Rails in production.



Nevermind! Matthew seems to have found a fix

He will post it when he has the time

Check the ticket