Persisting Session Data When Cookies Are Disabled

[Fred Guest]

is this possible? i'm serving a rails app into an iframe and i'm testing in chrome with "block third-party cookies" selected because it's not safe to assume that third-party cookies won't be blocked. iframes are treated as third parties so i need the app to function independently of cookies. i've done a boatload of googling an fiddling already, and it seems that even if you change ".config.session_store :cookie_store" to active_record_store or mem_cache_store (plus the additional configuration/gems those entail), the persistence of session data is STILL dependent on the availability of cookies, which is kind of a fake out with regards to the name of that config.

at this point i have resorted to running memcached putting this:

  def write(k,v)

    Rails.cache.write(request.remote_ip.gsub('.', '')+k,v)

  end

  def read(k)

    Rails.cache.read(request.remote_ip.gsub('.', '')+k)

  end

in my application_controller and using it as i would "session[:foo] = bar" or "session[:foo]". it works, but i don't feel great about it due to the nature of IP addresses. is there a better way to accomplish this?

[Frederick Cheung]

On Friday, December 6, 2013 3:36:28 AM UTC, Fred Guest wrote:

is this possible? i'm serving a rails app into an iframe and i'm testing in chrome with "block third-party cookies" selected because it's not safe to assume that third-party cookies won't be blocked. iframes are treated as third parties so i need the app to function independently of cookies. i've done a boatload of googling an fiddling already, and it seems that even if you change ".config.session_store :cookie_store" to active_record_store or mem_cache_store (plus the additional configuration/gems those entail), the persistence of session data is STILL dependent on the availability of cookies, which is kind of a fake out with regards to the name of that config.

Yes - a cookie is used to record  which database row / memcache key to use. The name of the store implies where the actual session data is stored.

at this point i have resorted to running memcached putting this:

  def write(k,v)

    Rails.cache.write(request.remote_ip.gsub('.', '')+k,v)

  end

  def read(k)

    Rails.cache.read(request.remote_ip.gsub('.', '')+k)

  end

in my application_controller and using it as i would "session[:foo] = bar" or "session[:foo]". it works, but i don't feel great about it due to the nature of IP addresses. is there a better way to accomplish this?

 

Is it an option for you to pass a session id in the url? Unideal too, but perhaps less unideal than what you currently have. I think this used to be something rails supported, but I seem to remember it getting removed, so you might have to hack that back in.

Fred

[Fred Guest]

thanks my friend, Freds gotta stick together. yes it seems Rails does not want session ids in urls at all http://guides.rubyonrails.org/action_controller_overview.html#session the other option is to pass around resource ids in urls, it just gets messy. this feels like something a framework should provide a default solution for but i guess not.