Posted this on stack overflow earlier today here, I really either don’t know what I’m doing, or I don’t understand how sessions are supposed to work!
I’m connecting to rails from an Air app and communicating with JSON only.
When the client sends a login request, the server makes sure the username & password match, then it does session[:user_id] = user.id, creating the session. But before I send back the login response, request.session_options[:id] is nil, so I seem to have no way of telling the client was his session id is.
I did manage to get the CSRF token sent with the login response, which the client sends on subsequent requests. On these subsequent requests, the session id is actually found in request.session_options[:id], so it must be working, just not in the order I expected.
So maybe I’m misunderstanding how this is supposed to work.
Is the act of the client sending along the CSRF token good enough to validate the session? All my old Rails 2.3 code had me passing the actual session id to the client (and no mention of a CSRF token anywhere), so I’m just wondering if this is just how it’s done now in Rails 3.2? If I should still be relying on the session id, how can i send the session id to the client with the login response at the time the session is created?
Thanks for taking a look and offering any explanation, this has been a brick wall pretty much the whole day and I’d like to keep working on the actual app writing again 8)