Url based sessions


I trying to make the sessions in my rails app independent of the
availability of cookies at the client side. In order to achieve this i
am using a plugin *, that adds _session_id to the querystring by adding
it to all rendered urls, and adding a hidden input field with the
session_id to all forms. This url and form rewriting is working great,
also for the ajax links generated by link_to_remote.

A bit tricky is to get rails to recognize this param as the session_id,
according to a recent rails security update mail **, i have to set
cookie_only to false. The description in the mail doesn’t work, but
setting session_options[:cookie_only]=false in application.rb does the
job though. And for the non-ajax version of my site, the session is
working as hoped.

The problem is when i try the same thing with javascript enabled, using
ajax requests, then rails doesn’t recognise my _session_id param in the
as the session_id. I can see the param is there, but rails just ignores
it and assigns a new session_id.

If anyone would has an idea what difference between a html request and
an ajax request causes this problem, then that would be great.