Problem with cookie in IE

Hello , i am working on project which need cookie enable when i disable cookie from browser (IE 7 / IE 8)i am not able to login/signup because all depends on Session/cookies. So how can i make this work for Session without cookies in rails. Is there any way ?

Thanks.

You will have to use a database session store. The default with rails is a cookie based session store which is stored in the browser. http://guides.rubyonrails.org/action_controller_overview.html chapter 4 - sessions

heimdull wrote:

You will have to use a database session store. The default with rails is a cookie based session store which is stored in the browser. Action Controller Overview — Ruby on Rails Guides chapter 4 - sessions

Thanks , i am going to look this

That won’t help, since the session id is still managed through cookies. You might check out http://github.com/tatyree/cookieless_sessions/

However, cookieless sessions (where the session id is passed on through parameters is generally a bad idea and poses a very big security risk (users can post a url with the session part included).

Best regards

Peter De Berdt

Thanks , Peter But i am getting following error , am i doing wrong ?

C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:478:in `const_missing': uninitialized constant CGI::Session::MemCacheStore (NameError)         from C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in `const_get'         from C:/I2/ruby/lib/ruby/gems/1.8/gems/actionpack-2.0.2/lib/action_controller/session_management.rb:24:in `session_store='         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in `send'         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:328:in `initialize_framework_settings'         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in `each'         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:327:in `initialize_framework_settings'         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in `each'         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/initializer.rb:324:in `initialize_framework_settings'          ... 30 levels...         from C:/I2/ruby/lib/ruby/gems/1.8/gems/rails-2.0.2/lib/commands/server.rb:39         from C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `gem_original_require'         from C:/I2/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'         from script/server:3

On 02 Oct 2009, at 11:45, Ruby on Rails wrote:

Thanks , Peter But i am getting following error , am i doing wrong ?

C:/I2/ruby/lib/ruby/gems/1.8/gems/activesupport-2.0.2/lib/active_support/dependencies.rb:478:in `const_missing’: uninitialized constant CGI::Session::MemCacheStore

You are using Rails 2.0.2, which might not have had the MemCacheStore implemented yet. That’s exactly what the error message says. Just use ActiveRecordStore instead (make sure you generate your sessions migration with “rake db:sessions:create”):

config.action_controller.session_store = :active_record_store

Also, beware if you upgrade to Rails 2.3, the session management has changed significantly, per the release notes:

  • CGI::Session::CookieStore has been replaced byActionController::Session::CookieStore.
  • CGI::Session::MemCacheStore has been replaced byActionController::Session::MemCacheStore.
  • CGI::Session::ActiveRecordStore has been replaced byActiveRecord::SessionStore.

You’ll need to patch the plugin probably if you want to use it with Rails 2.3.

It does seem that you are missing some basic but fundamental insight in the framework you’re using, might be a good idea to start reading some books, watch some screencasts and read up on some blogs and even plugin code to get yourself familiar with what’s going on. It’s generally just a good idea to not blindly use a plugin, but look into the API and code itself to at least grasp what’s going on in this rapidly evolving Rails world. Don’t count on others to fix issues for you, because they might have moved on since then and not maintain the plugin anymore when a new version is released that breaks it.

Best regards

Peter De Berdt

one view: "generally a bad idea and poses a very big security risk   (users can post a url with the session part included)."

another view: an accepted practice on other platforms aware that   mandating the use of cookies for full functionality may be culturally   inappropriate or outright illegal. And if there's anything sensitive --   financial, health, personal privacy -- involved in your app, then you   should be using SSL anyway, which negates the above concern. :slight_smile:

FWIW,

You are missing the point here. Let’s say you have average Joe using your site and logging in to get to personal information. He wants to link a public part of the site on Facebook and copies the url and pastes it in Facebook: https://mysite.com/some-public-part/article-1?_session_id=4da564c784511cdf

Whether you are using SSL or not, anyone that clicks the url before the session expires, will be logged in as average Joe, unless you somehow bind sessions to IPs or whatever. Even then certain privacy issues would come into play if someone on the same network would click the url.

Using cookies is a way of protecting users against themselves.

Best regards

Peter De Berdt

Hello Peter,

i have solved issue with cookieless_sessions gem.But at security level is that proper ?

Thanks.

On 03 Oct 2009, at 14:45, Ruby on Rails wrote:

i have solved issue with cookieless_sessions gem.But at security level is that proper ?

Personally, I wouldn’t use cookieless sessions unless you have a very good reason to believe a lot of your users won’t have cookies enabled. Sessions should never store private data, simple.

Using the cookiestore has a couple of advantages that make it my preferred way of managing sessions:

  • URLs don’t carry any session related data, so your user can’t accidentally post it on a public site

  • Using the ActiveRecord store will hit the database for sessions on every request and you have to find a way to clean them on a regular basis

  • Using the MemCache store uses memory and depending on what you deploy it on (memory constrained VPS), you’ll have to make sacrifices: use more memory or have sessions expire really quickly

  • Using the CookieStore just moves the session data to the client side and passes it on with every request

I know people coming from the PHP world, where it used to be very common to include session data in the url or post parameters, have the tendency to want to stick to that way of handling things. However, these days disabling cookies is so uncommon (they’re nothing more than a little text file and all browsers have it enabled by default) that I see no reason not to use them. We’ve been using them for so long, they’ve not caused any problems when used properly (i.e. store only very small amount of data, such as the user id) and they take away any reason to take any additional resources on the server just for the sake of session management. But that’s just how I feel, some people may disagree.

Best regards

Peter De Berdt