Rails 2.0: Release Candidate 2

Grab it while it's hot: http://weblog.rubyonrails.org/2007/11/29/rails-2-0-release-candidate-2

I'm using a Java applet (dndplus) to upload images. In order to do this, it is necessary to pass the session id along with the parameters to maintain session data. This has worked just fine up to now; however, in Rails 2.0 RC2, any upload attempt results in a SessionFixationAttempt exception, since RC2 now only allows the "session_id" parameter to be passed from cookies.

Is there a way to turn off this new behaviour, short of monkey-patching the session method itself?

Automatic session fixation protection is great, but sometimes it is quite legitimate to pass in a session id in this way.

  / Peter

Running...

rake rails:freeze:edge TAG=rel_2-0-0_RC2

terminates part way through with...

svn: URL
http://dev.rubyonrails.org/svn/rails/tags/rel_2-0-0_RC2/actionwebservice
doesn’t exist

and doesn't pull down activeresource. Just running it a second time
succeeds. Deleting the vendor/rails directory and trying again
reproduces the problem.

You should search this list as this is posted frequently.

-Bill

Jon Garvin wrote:

I think an excellent place to post it is with the announcement. If
you’re announcing a new version (of anything, not just Rails), and you
know people are probably going to have a problem upgrading, but the
current workaround to the problem is an absurdly easy two keystrokes
(up arrow, enter key), then just mention it with the announcement.
Don’t make everyone waste valuable time hunting for the simple solution
to a problem you knew they were going to have.

William Pratt wrote:

Sounds reasonable to me. Maybe suggest it to them on the rails-core
list?

Jon Garvin wrote:

Nobody who has any input on this? As we have a RC for 2.0, this seems to be the right place to ask this question. As it is now, I have hade to monkey-patch away the session fixation check in ActionController::CgiRequest::session. There no longer seems to be any way to legitimately pass in a session id, since Edge and RC2 disallow it except from cookies.

  / Peter Bengtson

29 nov 2007 kl. 11.10 skrev Peter Bengtson:

Nobody who has any input on this? As we have a RC for 2.0, this seems
to be the right place to ask this question. As it is now, I have hade
to monkey-patch away the session fixation check in
ActionController::CgiRequest::session. There no longer seems to be any
way to legitimately pass in a session id, since Edge and RC2 disallow
it except from cookies.

You need ActionController::Base.session_options[:cookie_only] = false

Fred

Many thanks!

  / Peter

30 nov 2007 kl. 09.52 skrev Frederick Cheung: