RE: [Rails] Re: Sessions without cookies??

There are three basic ways to have state in a web app

In a cookie

in the form

Or put in the url

Rails can handle all these

You just have to choose one

Can you explain how to "choose" a way that is not
using cookies in more detail?

Somebody already mentioned that you can pass it around on the URL and handle a bit of the heavy-lifting via routes.rb, but you're going to need to make sure that every link you create passes it, so instead of

<%= link_to 'Add to Cart', :action => 'add', :id => %>

You would instead have:

<%= link_to 'Add to Cart', :action => 'add', :id =>, :my_session_id => params[:my_session_id] %>

You could conceivably over-ride the link_to method. It's only 10 lines, just create a new one in your application helper that always passes params[:my_session_id] or whatever, and then you wouldn't have to re-write every link in your application.

In a previous web application i wrote (not with rails)
I forms when possible if there was no cookie support and
get parameters in urls if everything else failed.

So cookies are bad, but encoding session data into the HTML of the page by way of a for is perfectly acceptable? What happens when they hit the back button?

The session[] data Rails uses is fantastic. It has all sorts of goodness to it that looks after all sorts of problems relating to the asynchronous stateless nature of web application development. However, you should only use it if you really care about client state. If you don't, don't insist on it.

If you do care about client state, I can't see any reason why it is evil to say to the user 'you need to let me set a cookie from this site for you to be able to use the application properly'. Every other method of trying to replicate sessions has draw-backs far more severe than saying "you have an account with us, we have your credit card details, you clearly trust us, why can't we put a few hundred bytes in your web browser cache?".

If on the other hand you're just trying to spy on your users, there are better ways of doing it.

I'd have expected the
framework to do it under the hood instead of forcing
the user to manually add e.g. a condition and parameter
to each and every POST frame that is used.

Like I say, re-define link_to (or any other method you want) and do what you want to it. It's not hard, just a really stupid idea for 98% of applications out there, and may cause problems in terms of maintenance down the line unless you've documented the fact you've done this...