rails中使用url传递sessionid

最新推荐文章于 2017-03-24 21:04:53 发布

iteye_11088

最新推荐文章于 2017-03-24 21:04:53 发布

阅读量360

点赞数

分类专栏： Ruby 文章标签： Rails Ruby Mobile Security ActiveRecord

本文链接：https://blog.csdn.net/iteye_11088/article/details/81893395

版权

Ruby 专栏收录该内容

22 篇文章 0 订阅

订阅专栏

Enabling url parameter based sessions in Ruby on Rails

Posted by Paul McMahon on 2010年4月9日

Out of the box, Ruby on Rails uses cookies to store a user's session ID. This is fine for most applications, but doesn't work if your application needs to support browsers that don't support cookies, such as some mobile browsers. Instead of putting the session ID in a cookie, it must be put in the URL. This increases the possibility of session fixation attacks, where one user can take over another's session, however if security isn't paramount, this is an acceptable trade off. See the Ruby on Rails Security Guide for more details on these kinds of attacks.

To enable parameter based sessions in Rails, there are a number of changes you need to make. First, in config/initializers/session_store.rb, change the default file from containing something like

ActionController::Base.session = {
  :key         => '_application_session',
  :secret      => 'secret'
}

ActionController::Base.session = {
  :key         => '_application_session',
  :secret      => 'secret',
  :cookie_only => false # allow session to be loaded from params
}

# Overwrite default cookie based store
ActionController::Base.session_store = :active_record_store

Now Rails can read the session ID from the URL parameters, and doesn't store the session in a cookie (the default behaviour). Besides the ActiveRecord session store, other server based stores, such as the memcache store, work as well.

In addition to enabling Rails to read the session ID from the URL parameters, the session ID must be added as a parameter. The most basic way of doing this is to define default_url_options in the ApplicationController:

def default_url_options(options = nil)
  { request.session_options[:key] => request.session_options[:id] }
end

This will ensure that the session ID is always set in the URL.

The session ID can also be added conditionally, by doing something like the following:

def default_url_options(options = nil)
  if cookies_supported?
    super
  else
    { request.session_options[:key] => request.session_options[:id] }
  end
end

If the session ID is not included in the parameters, it will fall back to the cookie.

iteye_11088

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
rails中使用url传递sessionid

Enabling url parameter based sessions in Ruby on Rails Posted by Paul McMahon on 2010年4月9日 Out of the box, Ruby on Rails uses cookies to store a user's session...
复制链接

扫一扫

专栏目录