My requirement is to make a controller method to be able to accept session id from cookie, if it is disabled/not available then from request body.
This way I will return a session id from login request and use the same session_id for any subsequent request body, if it's not a browser request.
Will this work?
Session is like an hash to store data with an application request.
It should work if you store a session while login like session[:user]=“Myname_123” it will renmain in the application until or unless you make it nil session[:user]=nil
it is versy simple in consept
now session id it is identification of an particular session
and browser you know I use session in android emulator
now your turn
Rajarshi wrote in post #1090682:
Session is like an hash to store data with an application request.
It should work if you store a session while login like session[:user]="Myname_123" it will renmain in the application until or unless you make it nil session[:user]=nil
it is versy simple in consept
now session id it is identification of an particular session
and browser you know I use session in android emulator
now your turn
Thanks Rajarshi for your reply! But that's not my question is - let me put in other way: If I am using sessionstore, the _session_id has to be passed through browser cookie. Now, If I disable cookie in the browser the entire system doesn't work. So, what is the other alternative I can pass the session id through? if cookie is disabled. Tried passing as request parameter, but that doesn't work. Any suggestion plese?
you can use many option
many others
Rajarshi wrote in post #1090684:
you can use many option 1. memcache to store session in server 2.Activerecord to store session id in database so no need of your browser
many others
I am using Activerecord only to store the session, but in some way client has to send that session ID to server to retrieve the logged-in session data, otherwise each time server will create a new session ID. Right?
Try passing it in the URL. Read more about URL rewriting in case of disabled cookies.
It has some disadvantages. http://www.javapractices.com/topic/TopicAction.do?Id=226
You cannot use sessions without cookies enabled.
That said, you might remember what PHP does with the PHPSESSIONID parameter appended to all URLs rendered in the page. You might want to do something similar.
Shiv Narayan Gautam wrote in post #1090687:
Try passing it in the URL. Read more about URL rewriting in case of disabled cookies.
It has some disadvantages. http://www.javapractices.com/topic/TopicAction.do?Id=226
-- Shiv
Can this be done in Ruby on Rails? I am aware that it works for JSP and PHP.
It’s not secure, session spoofing is a serious issue. I would encourage not going that route.
It can be done in rails, needs a bit of work but sure. Ideally, you’ll alias_method_chain url_for and read the session in a parent controller, like ApplicationController and initialize your current user and any other session information from that.
Dheeraj Kumar wrote in post #1090690:
It's not secure, session spoofing is a serious issue. I would encourage not going that route.
It can be done in rails, needs a bit of work but sure. Ideally, you'll alias_method_chain url_for and read the session in a parent controller, like ApplicationController and initialize your current user and any other session information from that.
-- Dheeraj Kumar
Please suggest which route to follow, in order to make application work even though cookies are disabled in the browser.
Thanks in advance for any help in this line.
you can send encrypted session id for that
your url should be like /users?session_id='dasdadasdas2313124213213_session_application" with encrypted session id
now after getting request you have to decrypt the session
use base64 for it
I just said what you need. chain the url_for method to add session id to the parameters, and read the session id in your application controller, look it up in your session store, active record or memcache, then load whatever information you want from the database.
Dheeraj Kumar wrote in post #1090693:
I just said what you need. chain the url_for method to add session id to the parameters, and read the session id in your application controller, look it up in your session store, active record or memcache, then load whatever information you want from the database.
-- Dheeraj Kumar
Thanks Dheeraj. Truly appreciate if you can point me to some code examples for this.
Thanks
url_for(:controller => “name of the controller”, :action => “name pf the aciont”, :session => params[:value])
or
users_url(:session => params[:value]) it will create a dybnamic url like /users?session=“sdsadsadasdas213213213”
and in params[:value] you have to encrypt the session id what you get from database or encode64(params[:value])
now while it i s hitting it will send the request in that reuqest you have to parse it by decode64() and match the session id
Instead of adding a session parameter to every url_for call, alias method chain it. any url helper calls url_for anyway, so you’re good.
Make sure the encryption is good with the session id, and don’t use weak ones like base64, they make session spoofing so much easier.
yes I know
Dheeraj Kumar wrote in post #1090702:
Instead of adding a session parameter to every url_for call, alias method chain it. any url helper calls url_for anyway, so you're good.
Make sure the encryption is good with the session id, and don't use weak ones like base64, they make session spoofing so much easier.
-- Dheeraj Kumar
Are you referring this way: http://brantinteractive.com/2008/05/13/cookieless-sessions-in-rails/
When I try below code in my application controller, it gives an error saying - undefined method `session_id' for #<ActionDispatch::Session::AbstractStore::SessionHash:0x13423c80>
def default_url_options(options) # set a cookie if it's nil cookies[:_session_id] ||= { :value => 'true', :expires => 10.seconds.from_now } { :_session_id => (request.xhr? ? params[:_session_id] : session.session_id) } unless cookies[:_session_id] end
Am I missing something here?
Btw, I am using rails 3.0.5.
replace session.session_id it with session[:session_id]
I don’t think it’s a hash with indifferent access.
Dheeraj Kumar wrote in post #1090761:
replace session.session_id it with session[:session_id]
I don't think it's a hash with indifferent access.
-- Dheeraj Kumar
No, it doesn't work, it creates a new session id even if I pass a logged in session ID though URL. Console log says; ::: Checking session expiry ::: Initializing session expiry. Expires at 2013-01-02 01:30:41 +0530 Redirected to http://localhost:3000/