Forum: Ruby on Rails How to preserve the session id whether the http request header contains 'Pragma'='no-cache'.

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2e87c560cf7e3614d47eb2f0f31e0b05?d=identicon&s=25 Hiroto Mukouhara (Guest)
on 2015-08-04 07:42
(Received via mailing list)
The new session id is created when the http request header contains
'Pragma'='no-cache' on our RoR environment. Our goal is that the session
id is preserved if the http request header contains 'Pragma'='no-cache'.
Please let us know how to preserve the session id.

The detailed sequence is shown below:

1. The user downloads the Microsoft World file from RoR application, and
   opens that file using 'Protected View'.

2. The user clicks the url link which is written in that Word file. The
   clicked url link points to a page which is located on that RoR
   application.

3. On opening that url link, the http request header contains
   'Pragma'='no-cache', and the new session id is created with the http
   response header which contains 'Set-Cookie'.

If the user opens that file not using 'Protected View' on the sequence
1,
the session id is preserved on the sequence 3. The http request header
doesn't contain 'Pragma'='no-cache'.


The our RoR environment is shown below:

Server:
  Rails 3.2.14, and ruby 2.0.0p247 on apache 2.2.29, and unicorn 4.6.3

Clients:
  Internet Explorer 8, and MicrosoftOffice 2010 on Windows7 64bit.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2015-08-05 12:53
(Received via mailing list)
On Tuesday, August 4, 2015 at 6:41:18 AM UTC+1, Hiroto Mukouhara wrote:
>
> doesn't contain 'Pragma'='no-cache'.
>
>
>
Does the request in 3 have a cookie header?

Fred
6883e5ef03484d4fcef507d7b4f1d243?d=identicon&s=25 Matt Jones (Guest)
on 2015-08-05 21:33
(Received via mailing list)
On Tuesday, 4 August 2015 01:41:18 UTC-4, Hiroto Mukouhara wrote:
>
> doesn't contain 'Pragma'='no-cache'.
>

I can't find much documentation for Protected View, but there's some
indication that it may be fiddling with the context that the web request
uses when you click on the link:

https://onmessages.wordpress.com/2015/01/19/a-secu...

This may be a security restriction to prevent malicious documents from
including hyperlinks to third-party sites that rely on the user's
existing
cookies to do XSS.

--Matt Jones
2e87c560cf7e3614d47eb2f0f31e0b05?d=identicon&s=25 Hiroto Mukouhara (Guest)
on 2015-08-07 09:50
(Received via mailing list)
2015年8月5日水曜日 19時52分01秒 UTC+9 Frederick Cheung:
>> The detailed sequence is shown below:
>>    response header which contains 'Set-Cookie'.
>
Thank you for your quick response. The request in 3 does not have a
cookie header if the open mode is 'Protected View' or not.
2e87c560cf7e3614d47eb2f0f31e0b05?d=identicon&s=25 Hiroto Mukouhara (Guest)
on 2015-08-07 09:50
(Received via mailing list)
2015年8月6日木曜日 4時32分05秒 UTC+9 Matt Jones:
>> The detailed sequence is shown below:
>>    response header which contains 'Set-Cookie'.
>
>
https://onmessages.wordpress.com/2015/01/19/a-secu...
>
> This may be a security restriction to prevent malicious documents from
> including hyperlinks to third-party sites that rely on the user's existing
> cookies to do XSS.
>
> --Matt Jones
>


 Thanks for your insight. I'll check the detail of that page.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2015-08-07 10:42
(Received via mailing list)
On Friday, August 7, 2015 at 8:49:20 AM UTC+1, Hiroto Mukouhara wrote:
> cookie header if the open mode is 'Protected View' or not.
>
>

So there's your problem.  if the cookie header is not set then rails
will
think there is no existing session. As Matt says, this is probably a
security thing.

Fred
This topic is locked and can not be replied to.