Rails 2.0: Release Candidate 2

DHH · November 29, 2007, 5:14am

Grab it while it's hot: Ruby on Rails — Rails 2.0: Release Candidate 2

Peter_Bengtson · November 29, 2007, 10:10am

I'm using a Java applet (dndplus) to upload images. In order to do this, it is necessary to pass the session id along with the parameters to maintain session data. This has worked just fine up to now; however, in Rails 2.0 RC2, any upload attempt results in a SessionFixationAttempt exception, since RC2 now only allows the "session_id" parameter to be passed from cookies.

Is there a way to turn off this new behaviour, short of monkey-patching the session method itself?

Automatic session fixation protection is great, but sometimes it is quite legitimate to pass in a session id in this way.

/ Peter

J_Garvin · November 29, 2007, 5:36pm

Running...

rake rails:freeze:edge TAG=rel_2-0-0_RC2

terminates part way through with...

svn: URL 'http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice’ doesn't exist

and doesn't pull down activeresource. Just running it a second time succeeds. Deleting the vendor/rails directory and trying again reproduces the problem.

William_Pratt · November 29, 2007, 6:15pm

You should search this list as this is posted frequently.

-Bill

Jon Garvin wrote:

J_Garvin · November 29, 2007, 6:57pm

I think an excellent place to post it is with the announcement. If you’re announcing a new version (of anything, not just Rails), and you know people are probably going to have a problem upgrading, but the current workaround to the problem is an absurdly easy two keystrokes (up arrow, enter key), then just mention it with the announcement. Don’t make everyone waste valuable time hunting for the simple solution to a problem you knew they were going to have.

William Pratt wrote:

William_Pratt · November 29, 2007, 9:26pm

Sounds reasonable to me. Maybe suggest it to them on the rails-core list?

Jon Garvin wrote:

Peter_Bengtson · November 30, 2007, 8:43am

Nobody who has any input on this? As we have a RC for 2.0, this seems to be the right place to ask this question. As it is now, I have hade to monkey-patch away the session fixation check in ActionController::CgiRequest::session. There no longer seems to be any way to legitimately pass in a session id, since Edge and RC2 disallow it except from cookies.

/ Peter Bengtson

29 nov 2007 kl. 11.10 skrev Peter Bengtson:

Frederick_Cheung · November 30, 2007, 8:52am

Nobody who has any input on this? As we have a RC for 2.0, this seems to be the right place to ask this question. As it is now, I have hade to monkey-patch away the session fixation check in ActionController::CgiRequest::session. There no longer seems to be any way to legitimately pass in a session id, since Edge and RC2 disallow it except from cookies.

You need ActionController::Base.session_options[:cookie_only] = false

Fred

Peter_Bengtson · November 30, 2007, 8:59am

Many thanks!

/ Peter

30 nov 2007 kl. 09.52 skrev Frederick Cheung: