Sessions without cookies??

i think you would have to find a way to always pass a query string to the url for each request (like ?sid=838bdaf). Maybe you can use routes.rb to do this somehow or another option is to maybe use a before_filter in application.rb

This framework expects its users to have cookies enabled. Rails does,
what most people do most of the time. It’s as simple as that.

Kind regards


> I would expect a framework to automate this for me ... is there some
> plugin or example code that does this or is this planned for a release
> anytime soon?

This framework expects its users to have cookies enabled. Rails does, what
most people do most of the time. It's as simple as that.

I can see both sides here, but I really don't think it's reasonable to
expect this feature out of the box given that it is not an issue for
most people. Without a way to make sessions work with the id passed
in the query string, it will limit rails in some areas, although how
many I don't know. I do know that many ecommerce sites need to work
without cookies, especially those that have mobile phone friendly
pages. We have a fairly large ecommerce app written in perl being
used by a lot of merchants, and the number of people who block cookies
is small, but significant enough that we don't require cookies.

Someone already mentioned a viable option of passing the session info into the url.

And yet, many professional websites do in fact use it.

Right. And that's completely unrelated to your assertion that Rails
is completely unusable for professional development.

Roman Hausner wrote:

Michael Campbell wrote:
>> If this framework makes such a sweeping expectation it is simply not
>> usable for professional development.
> And yet, many professional websites do in fact use it.
Yeah, many sites force their rules on their customers instead of
accepting their preferences -- some even force them to use IE.

Not everyone does want to follow such an impolite policy though.
As has been pointed out, there are also other reasons why users
might be forced not to use cookies.

Okay ok, enough with the bickering already...

I have found this feature-lacking when I was learning rails (stilll learning). But
I do recall at least one other framework lacking it too. Anyway, I have always
developed with cookies turned off. This is because I don't want my app to
be dependent on it. So I rolled my own.

Perhaps this is something I can give back to the community. I can release this
code, but how should I go about doing it? What is the preferred way and
where can I get the documentation? I have heard of 'patches' and 'plugins' but have
not looked it up (busy developing :-).

If someone would kindly point me in the right direction, it just might get done sooner.



As was mentioned before, Rails always aims to make the majority of web
applications simple to set up.

If your application has demands that falls outside of this major
percentage then its not as though you're being forced out, you just
have to make a few small alterations to configure it.

There's many embelishments to the rails core that add features that
some applications need, that's why there's the plugin system, in fact
when you solve this problem why not release a plugin that anyone else
who wants the same feature can benfit from?


explains how to write plugins.


I would like to point out here that using cookies for session tracking is a very accepted practice these days. I would recommend that you try an experiment of turning off cookies and javascript and try using the web the way you are used to using it. Even .NET requires cookies and are you willing to make the claim that it is not used for professional applications? I am not aware of any local java shops in my area who bother with the built-in URL re-writing in j2ee anymore. They simply don’t want to bother.

I would have agreed with you in 1997 when some of my clients felt this way. Others, upon hearing the extra cost of using URL rewiriting in java, said to just use cookies. Web developers have stopped putting important data into cookies long ago and the public now trusts them. Most of my students are not even aware that they were once controversial. I would like to propose that we stop worrying about cookies and focus on the more important worrisome issues like XSS, and SQL injection.