Forum: Ruby on Rails cookies are mandatory for Rails app?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Eb71c362ddeda80c2668d2575e97bc70?d=identicon&s=25 winter heat (winterheat)
on 2009-05-26 04:45
is it true that Rails depend on cookies?  It seems that flash is a part
of session, and session uses cookies... so when i disable cookie in
Firefox, what was working became

ActionController::InvalidAuthenticityToken

so is it true that for a RoR app to work, cookies are mandatory?
54926dd0eeb29e2d1f75d74e401ff576?d=identicon&s=25 p_W (Guest)
on 2009-05-26 11:55
(Received via mailing list)
Because HTTP is stateless, information that is stored while navigating
from page to page, even if it's just from one page to another, has to
be stored somewhere.  One solution to this is to use a session
database, but even then, the session id is usually stored in a
cookie.  For things like the flash in a RoR rails app, cookies are the
better solution as the flash just relay's messages related to the
state of the application.

I believe there is going to be in-browser storage as part of the W3C
HTML 5 standard but until then we are stuck with cookies

On May 25, 10:45 pm, SpringFlowers AutumnMoon <rails-mailing-
4375b4aca04b8d72482fd409fb6d0b47?d=identicon&s=25 Roderick van Domburg (roderickvd)
on 2009-05-26 15:07
SpringFlowers AutumnMoon wrote:
> is it true that Rails depend on cookies?  It seems that flash is a part
> of session, and session uses cookies... so when i disable cookie in
> Firefox, what was working became
>
> ActionController::InvalidAuthenticityToken
>
> so is it true that for a RoR app to work, cookies are mandatory?

Rails itself uses cookies only for its session store. From Rails 2.3
onwards, the session store is initialized lazily: if you don't use it in
a request, then it's not initialized. Forgery protection indeed relies
on the session store, but you can disable it.

So theoretically: no, Rails apps don't require cookies. But what are the
practical reasons to be concerned about them?

--
Roderick van Domburg
http://www.nedforce.com
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2009-05-26 15:28
SpringFlowers AutumnMoon wrote:
> is it true that Rails depend on cookies?  It seems that flash is a part
> of session, and session uses cookies... so when i disable cookie in
> Firefox, what was working became
>
> ActionController::InvalidAuthenticityToken
>
> so is it true that for a RoR app to work, cookies are mandatory?

FYI: Cookies are required for practically every web based application on
the internet. This is not at all unique to Rails. There are only a
limited number of ways to maintain session state. 1. Using cookies (my
guess is > 80% of sites use this method), 2. Putting a session id in the
URL (ugly, but works). 3. Hidden fields in forms to pass state from one
request to another (very ugly, but requires no client-side storage of
state). 4. HTML 5 local session storage (not practical since it'll take
Microsoft years to support HTML 5. They can barely do HTML 4).

I believe option 4 is the way forward since it provides all the benefits
of cookies, and practically none of their shortcomings. Just don't
expect that to be practical anytime soon. Note: Safari 4 public beta has
complete support for HTML 5 local storage (maybe others too). Let's just
hope the others eventually catch up.
Eb71c362ddeda80c2668d2575e97bc70?d=identicon&s=25 winter heat (winterheat)
on 2009-05-26 18:43
Roderick van Domburg wrote:

> So theoretically: no, Rails apps don't require cookies. But what are the
> practical reasons to be concerned about them?

because i was trying a Rails app (from the book Simply Rails 2.0)... and
at the "Flash" part, (not Adobe Flash), it talks about next action
passing of info... and without saying how it works.  Another book (Rails
Recipe) says that it is part of the Session object, and it uses cookies
to do it.

So I instantly disabled cookie on Firefox using Web Developer add-on,
and then, my Rails site that was working before now gave an error... and
didn't work...

that's the concern...  turning off cookie broke my Rails app.
280b78a61a968391b7e07e912be102a8?d=identicon&s=25 Robert Walker (robert4723)
on 2009-05-26 19:58
SpringFlowers AutumnMoon wrote:
> Roderick van Domburg wrote:
>
>> So theoretically: no, Rails apps don't require cookies. But what are the
>> practical reasons to be concerned about them?
>
> because i was trying a Rails app (from the book Simply Rails 2.0)... and
> at the "Flash" part, (not Adobe Flash), it talks about next action
> passing of info... and without saying how it works.  Another book (Rails
> Recipe) says that it is part of the Session object, and it uses cookies
> to do it.
>
> So I instantly disabled cookie on Firefox using Web Developer add-on,
> and then, my Rails site that was working before now gave an error... and
> didn't work...
>
> that's the concern...  turning off cookie broke my Rails app.

Generally speaking, yes it will. Just like it will break almost any web
application Rails or otherwise. :)
Eb71c362ddeda80c2668d2575e97bc70?d=identicon&s=25 winter heat (winterheat)
on 2009-05-26 20:00
Robert Walker wrote:

>> that's the concern...  turning off cookie broke my Rails app.
>
> Generally speaking, yes it will. Just like it will break almost any web
> application Rails or otherwise. :)

or to put it this way, if to make the Rails app work even when user
turns off cookie, is there a simple and quick way?

is it simpler if there is only one server (Apache running Passenger
(mod_rails))?
Dd2d775dea75b381edb1bbf0600a0907?d=identicon&s=25 Marnen Laibow-Koser (marnen)
on 2009-05-26 20:18
Robert Walker wrote:
> SpringFlowers AutumnMoon wrote:
>> Roderick van Domburg wrote:
>>
>>> So theoretically: no, Rails apps don't require cookies. But what are the
>>> practical reasons to be concerned about them?
[...]
>>
>> So I instantly disabled cookie on Firefox using Web Developer add-on,
>> and then, my Rails site that was working before now gave an error... and
>> didn't work...
>>
>> that's the concern...  turning off cookie broke my Rails app.
>
> Generally speaking, yes it will. Just like it will break almost any web
> application Rails or otherwise. :)

Well, PHP's session management will automatically fall back to putting
session ID in the URL.  I believe JSP does this too.  Is there no way to
get Rails to do likewise?

(I'm a lot less concerned about this than SpringFlowers seems to be, but
some people really need or want to avoid cookies.  Since this problem
was solved long since for other Web technologies, I'm a bit surprised
that it is not so for Rails.)

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org
E37d44b8111e733527273f54c19fefc5?d=identicon&s=25 Darrik Mazey (Guest)
on 2009-05-27 03:30
(Received via mailing list)
Robert Walker wrote:
> the internet. This is not at all unique to Rails. There are only a
> complete support for HTML 5 local storage (maybe others too). Let's just
> hope the others eventually catch up.

I assume that users will have the option to disable HTML 5 browser-local
storage.  I also assume that people who turn off cookies will most
likely disable local storage.  In that event, I'm not sure how this
solves the problem, and we're at square one again.

Just a thought.

Cheers,
Darrik

--
Darrik Mazey
DarmaSoft, LLC.
1627 Marigold Avenue
Akron, Ohio 44301-2627
office: 330.983.9941
    fax: 330.983.9942
mobile: 330.808.2025
darrik@darmasoft.com

To obtain my public key, send an email to
darrik@publickey.darmasoft.com.
Dd2d775dea75b381edb1bbf0600a0907?d=identicon&s=25 Marnen Laibow-Koser (marnen)
on 2009-05-27 03:48
Darrik Mazey wrote:
[...]
> I assume that users will have the option to disable HTML 5 browser-local
> storage.  I also assume that people who turn off cookies will most
> likely disable local storage.

That is an excellent point.

Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org
This topic is locked and can not be replied to.