Sessions without cookies?

I am planning an inhouse web application and a big number of users have
their cookies disabled in their browsers. I have read that rails can
handle session keys automatically only over cookies – is this true?
I have previously written web applications with perl where I passed the
sessionid around as a GET or POST parameter in all web requests – is
there a built-in mechanism like this in Rails for handling the session
data?

unknown wrote:

i think you would have to find a way to always pass a query string to
the
url for each request (like ?sid=838bdaf). Maybe you can use routes.rb
to do
this somehow or another option is to maybe use a before_filter in
application.rb ?

I would expect a framework to automate this for me … is there some
plugin or example code that does this or is this planned for a release
anytime soon?

i think you would have to find a way to always pass a query string to
the
url for each request (like ?sid=838bdaf). Maybe you can use routes.rb
to do
this somehow or another option is to maybe use a before_filter in
application.rb ?

2006/9/29, Roman H. [email protected]:

I would expect a framework to automate this for me … is there some
plugin or example code that does this or is this planned for a release
anytime soon?

This framework expects its users to have cookies enabled. Rails does,
what
most people do most of the time. It’s as simple as that.

Kind regards
Nicolai

You can override url_for and form_tag in application_helper.rb. Good
discussion about this here:
http://forums.somethingawful.com/showthread.php?s=&threadid=2053851

Nicolai Reuschling wrote:

2006/9/29, Roman H. [email protected]:

I would expect a framework to automate this for me … is there some
plugin or example code that does this or is this planned for a release
anytime soon?

This framework expects its users to have cookies enabled. Rails does,
what
most people do most of the time. It’s as simple as that.

If this framework makes such a sweeping expectation it is simply not
usable for professional development. Many users disable cookies and it
is their right to do so. Polite companies who respect their users will
not force them to enable cookies just to use their site.

It is as simple as that.

Someone already mentioned a viable option of passing the session info
into
the url.

I would expect a framework to automate this for me … is there some
plugin or example code that does this or is this planned for a release
anytime soon?

This framework expects its users to have cookies enabled. Rails does, what
most people do most of the time. It’s as simple as that.

I can see both sides here, but I really don’t think it’s reasonable to
expect this feature out of the box given that it is not an issue for
most people. Without a way to make sessions work with the id passed
in the query string, it will limit rails in some areas, although how
many I don’t know. I do know that many ecommerce sites need to work
without cookies, especially those that have mobile phone friendly
pages. We have a fairly large ecommerce app written in perl being
used by a lot of merchants, and the number of people who block cookies
is small, but significant enough that we don’t require cookies.

Michael C. wrote:

On 9/29/06, Roman H. [email protected] wrote:

If this framework makes such a sweeping expectation it is simply not
usable for professional development.

And yet, many professional websites do in fact use it.

Yeah, many sites force their rules on their customers instead of
accepting their preferences – some even force them to use IE.

Not everyone does want to follow such an impolite policy though.
As has been pointed out, there are also other reasons why users
might be forced not to use cookies.

On 9/29/06, Roman H. [email protected] wrote:

If this framework makes such a sweeping expectation it is simply not
usable for professional development.

And yet, many professional websites do in fact use it.


I have made this letter longer than usual, because I lack the time to
make it short. – Blaise Pascal

On 9/29/06, Roman H. [email protected] wrote:

Yeah, many sites force their rules on their customers instead of
accepting their preferences – some even force them to use IE.

Right. And that’s completely unrelated to your assertion that Rails
is completely unusable for professional development.

Roman H. wrote:

Yeah, many sites force their rules on their customers instead of
accepting their preferences – some even force them to use IE.

Not everyone does want to follow such an impolite policy though.
As has been pointed out, there are also other reasons why users
might be forced not to use cookies.

Okay ok, enough with the bickering already…

I have found this feature-lacking when I was learning rails (stilll
learning). But
I do recall at least one other framework lacking it too. Anyway, I have
always
developed with cookies turned off. This is because I don’t want my app
to
be dependent on it. So I rolled my own.

Perhaps this is something I can give back to the community. I can
release this
code, but how should I go about doing it? What is the preferred way and
where can I get the documentation? I have heard of ‘patches’ and
‘plugins’ but have
not looked it up (busy developing :-).

If someone would kindly point me in the right direction, it just might
get done sooner.

Cheers,

Long

As was mentioned before, Rails always aims to make the majority of web
applications simple to set up.

If your application has demands that falls outside of this major
percentage then its not as though you’re being forced out, you just
have to make a few small alterations to configure it.

There’s many embelishments to the rails core that add features that
some applications need, that’s why there’s the plugin system, in fact
when you solve this problem why not release a plugin that anyone else
who wants the same feature can benfit from?

Ross

On 9/29/06, Michael C. [email protected] wrote:

And yet, many professional websites do in fact use it.

Yeah, many sites force their rules on their customers instead of
accepting their preferences – some even force them to use IE.

Right. And that’s completely unrelated to your assertion that Rails
is completely unusable for professional development.


Ross R.
www.sorrylies.com

There are three basic ways to have state in a web app

In a cookie

in the form

Or put in the url

Rails can handle all these

You just have to choose one

Clayton C. wrote:

There are three basic ways to have state in a web app

In a cookie

in the form

Or put in the url

Rails can handle all these

How?

Can you explain how to “choose” a way that is not
using cookies in more detail?

In a previous web application i wrote (not with rails)
I forms when possible if there was no cookie support and
get parameters in urls if everything else failed.
Essentially, we need to pass around a special ID value
in each and every request. Since this is something
that happens at many places, I’d have expected the
framework to do it under the hood instead of forcing
the user to manually add e.g. a condition and parameter
to each and every POST frame that is used.

http://wiki.rubyonrails.com/rails/pages/HowTosPlugins

explains how to write plugins.

Ross

On 9/29/06, Ross R. [email protected] wrote:

who wants the same feature can benfit from?

is completely unusable for professional development.


Ross R.
www.sorrylies.com


Ross R.
www.sorrylies.com

I would like to point out here that using cookies for session tracking
is a
very accepted practice these days. I would recommend that you try an
experiment of turning off cookies and javascript and try using the web
the
way you are used to using it. Even .NET requires cookies and are you
willing
to make the claim that it is not used for professional applications? I
am
not aware of any local java shops in my area who bother with the
built-in
URL re-writing in j2ee anymore. They simply don’t want to bother.

I would have agreed with you in 1997 when some of my clients felt this
way.
Others, upon hearing the extra cost of using URL rewiriting in java,
said to
just use cookies. Web developers have stopped putting important data
into
cookies long ago and the public now trusts them. Most of my students are
not
even aware that they were once controversial. I would like to propose
that
we stop worrying about cookies and focus on the more important worrisome
issues like XSS, and SQL injection.

-Eric

On 29 Sep 2006, at 23:58, Roman H. wrote:

Can you explain how to “choose” a way that is not
using cookies in more detail?

Somebody already mentioned that you can pass it around on the URL and
handle a bit of the heavy-lifting via routes.rb, but you’re going to
need to make sure that every link you create passes it, so instead of

<%= link_to ‘Add to Cart’, :action => ‘add’, :id => item.id %>

You would instead have:

<%= link_to ‘Add to Cart’, :action => ‘add’, :id =>
item.id, :my_session_id => params[:my_session_id] %>

You could conceivably over-ride the link_to method. It’s only 10
lines, just create a new one in your application helper that always
passes params[:my_session_id] or whatever, and then you wouldn’t have
to re-write every link in your application.

In a previous web application i wrote (not with rails)
I forms when possible if there was no cookie support and
get parameters in urls if everything else failed.

So cookies are bad, but encoding session data into the HTML of the
page by way of a for is perfectly acceptable? What happens when they
hit the back button?

The session[] data Rails uses is fantastic. It has all sorts of
goodness to it that looks after all sorts of problems relating to the
asynchronous stateless nature of web application development.
However, you should only use it if you really care about client
state. If you don’t, don’t insist on it.

If you do care about client state, I can’t see any reason why it is
evil to say to the user ‘you need to let me set a cookie from this
site for you to be able to use the application properly’. Every other
method of trying to replicate sessions has draw-backs far more severe
than saying “you have an account with us, we have your credit card
details, you clearly trust us, why can’t we put a few hundred bytes
in your web browser cache?”.

If on the other hand you’re just trying to spy on your users, there
are better ways of doing it.

I’d have expected the
framework to do it under the hood instead of forcing
the user to manually add e.g. a condition and parameter
to each and every POST frame that is used.

Like I say, re-define link_to (or any other method you want) and do
what you want to it. It’s not hard, just a really stupid idea for 98%
of applications out there, and may cause problems in terms of
maintenance down the line unless you’ve documented the fact you’ve
done this…

HTH,


Paul R.
http://vagueware.com

As to whether Rails “is simply not usable for professional development”

  • there’s a lot of evidence to refute that. 37Signals is making a
    boatload of money- you think they’re not “professional”? If so, I have
    to say, that’s the kind of non-professionalism I aspire to :wink:

Having said that, I think support for session-id-in-url would be a great
addition to Rails- as DHH might say, “please do write a plugin” :wink:

Lastly, much of this talk about people having cookies disabled misses a
fine distinction. The cookie that Rails uses for session id expires
when you close your browser. While some people may have persistent
cookies disabled, I would venture to guess that the number that have
non-persistent (session) cookies disabled is considerably less. As Eric
Knapp points out, above, much of the modern web would be practically
unusable without session cookies. Ever used a shopping cart?

Over at Lingr (http://www.lingr.com), we haven’t heard any feedback from
users complaining about our requirement of session cookies. I doubt we
ever will. I’m certainly not loosing any sleep over whatever users, if
any, we turn away due to that requirement.

  • D

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs