Persisting Session Data When Cookies Are Disabled

is this possible? i’m serving a rails app into an iframe and i’m testing in chrome with “block third-party cookies” selected because it’s not safe to assume that third-party cookies won’t be blocked. iframes are treated as third parties so i need the app to function independently of cookies. i’ve done a boatload of googling an fiddling already, and it seems that even if you change “.config.session_store :cookie_store” to active_record_store or mem_cache_store (plus the additional configuration/gems those entail), the persistence of session data is STILL dependent on the availability of cookies, which is kind of a fake out with regards to the name of that config.

at this point i have resorted to running memcached putting this:

def write(k,v)

Rails.cache.write(request.remote_ip.gsub(’.’, ‘’)+k,v)

end

def read(k)

Rails.cache.read(request.remote_ip.gsub(’.’, ‘’)+k)

end

in my application_controller and using it as i would “session[:foo] = bar” or “session[:foo]”. it works, but i don’t feel great about it due to the nature of IP addresses. is there a better way to accomplish this?

is this possible? i’m serving a rails app into an iframe and i’m testing in chrome with “block third-party cookies” selected because it’s not safe to assume that third-party cookies won’t be blocked. iframes are treated as third parties so i need the app to function independently of cookies. i’ve done a boatload of googling an fiddling already, and it seems that even if you change “.config.session_store :cookie_store” to active_record_store or mem_cache_store (plus the additional configuration/gems those entail), the persistence of session data is STILL dependent on the availability of cookies, which is kind of a fake out with regards to the name of that config.

Yes - a cookie is used to record which database row / memcache key to use. The name of the store implies where the actual session data is stored.

at this point i have resorted to running memcached putting this:

def write(k,v)

Rails.cache.write(request.remote_ip.gsub(’.’, ‘’)+k,v)

end

def read(k)

Rails.cache.read(request.remote_ip.gsub(’.’, ‘’)+k)

end

in my application_controller and using it as i would “session[:foo] = bar” or “session[:foo]”. it works, but i don’t feel great about it due to the nature of IP addresses. is there a better way to accomplish this?

Is it an option for you to pass a session id in the url? Unideal too, but perhaps less unideal than what you currently have. I think this used to be something rails supported, but I seem to remember it getting removed, so you might have to hack that back in.

Fred

thanks my friend, Freds gotta stick together. yes it seems Rails does not want session ids in urls at all http://guides.rubyonrails.org/action_controller_overview.html#session the other option is to pass around resource ids in urls, it just gets messy. this feels like something a framework should provide a default solution for but i guess not.