tatyree-cookieless_sessions 0.1.0

data/README.rdoc

@@ -0,0 +1,74 @@
+= Cookieless Sessions
+
+A rails gem that brings together everything needed to enable cookieless sessions in rails. 
+
+Let's say you're developing a mobile phone site and cookie-based sessions just don't
+work for a significant segment of your user base.  There are various bits of code scattered
+around, and at least one old gem for dealing with this.  However, getting everything
+together and working requires a good deal of monkey patching.  That's where this gem
+comes in: all the monkey patches together in one place.  
+
+== Install 
+
+  gem install tatyree-cookieless_sessions --source http://gems.github.com
+
+== Usage
+
+First, you need to set up an alternative session store in environment.rb
+
+  config.action_controller.session_store = :mem_cache_store
+
+We've only ever used it with the mem_cache_store, but there's no reason 
+that it shouldn't work with any other server-side store. 
+
+Next, require it in environment.rb after the Rails::Initializer block:
+
+  require 'cookieless_sessions'
+
+Lastly, you need to add a before_filter to your ApplicationController
+to check to see if cookies are enabled:
+
+  class ApplicationController < ActionController::Base
+  ...
+  before_filter :check_cookies
+
+  ...
+  
+  protected
+  
+  ...
+  
+  def check_cookies
+    cookies[:_sessions] ||= { :value => 'true', :expires => 30.seconds.from_now } unless session[:cookies_off]
+
+    if cookies.blank? 
+      logger.info "** Cookies appear to be disabled on this session."
+      session[:cookies_off] = true
+    end
+  end 
+
+I suggest that, once a session has been set as cookieless, you should not try to 
+change it back (i.e. <tt>else; session[:cookies_off] = false; end;</tt>).  If you do, 
+the current session will be lost if cookie handling flip-flops.
+
+You can customize this method as you see fit.  Please note, however, that the gem
+depends on the :cookies_off session key.  
+
+== Gotchas
+
+There aren't very many.  Variations of this have been running in production on several
+of our apps for months now.  The main thing to watch out for is phones that can't handle
+GET and POST variables in the same request (which, if I'm honest, is a bit of a flakey
+way to do it). Happily, they are becoming rare.  The main symptom is a controller method 
+throwing exceptions because the only parameter it receives is the session_id: The phone
+sees the query string on the form action and discards any other parameters.  So far, I've
+tried incorporating the session_id as a hidden variable in the form.  This works fine for
+passing the parameter, but getting the session handling code to pick it up, and selectively 
+excluding the query parameter from the form action url has proven very difficult.  
+
+== Credits
+
+* {The original source of the main monkey patch}[http://dev.rubyonrails.org/ticket/10900]
+* {Changing sessions options in rails}[http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionOptions]
+* {The fatdrive.tv cookieless session plugin}[http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionOptions]
+* {The original source of the default_url_options example}[http://brantinteractive.com/2008/05/13/cookieless-sessions-in-rails/]

data/Rakefile

@@ -0,0 +1,12 @@
+require 'rubygems'
+require 'rake'
+require 'echoe'
+
+Echoe.new('cookieless_sessions', '0.1.0') do |p|
+  p.description    = "Allow cookieless sessions in Rails."
+  p.url            = "http://github.com/tatyree/cookieless_sessions"
+  p.author         = "Todd Tyree"
+  p.email          = "todd@snappl.co.uk"
+  p.ignore_pattern = ["tmp/*", "script/*"]
+  p.development_dependencies = []
+end

data/cookieless_sessions.gemspec

@@ -0,0 +1,31 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{cookieless_sessions}
+  s.version = "0.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Todd Tyree"]
+  s.date = %q{2009-02-07}
+  s.description = %q{Allow cookieless sessions in Rails.}
+  s.email = %q{todd@snappl.co.uk}
+  s.extra_rdoc_files = ["lib/cookieless_sessions.rb", "README.rdoc"]
+  s.files = ["cookieless_sessions.gemspec", "init.rb", "lib/cookieless_sessions.rb", "Manifest", "Rakefile", "README.rdoc"]
+  s.has_rdoc = true
+  s.homepage = %q{http://github.com/tatyree/cookieless_sessions}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Cookieless_sessions", "--main", "README.rdoc"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{cookieless_sessions}
+  s.rubygems_version = %q{1.3.1}
+  s.summary = %q{Allow cookieless sessions in Rails.}
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 2
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end

data/init.rb

@@ -0,0 +1 @@
+require 'cookieless_sessions'

data/lib/cookieless_sessions.rb

@@ -0,0 +1,83 @@
+module CookielessSessions
+end
+
+class ::CGI #:nodoc:
+  class Session #:nodoc:
+    alias_method :initialize_without_uri_session_key, :initialize
+
+    def initialize(cgi, options = {}, session_id=nil)
+      key = options['session_key']
+
+      if cgi.cookies[key].empty?
+        if !session_id
+          query = ENV['RAW_POST_DATA'] || cgi.query_string || ''
+          session_id = CGI.parse(query)[key].first if cgi.cookies[key].empty?
+        end
+        if session_id
+          cgi.params[key] = session_id
+          options['session_id'] = cgi.params[key]
+        end
+      end
+      @cgi = cgi
+      initialize_without_uri_session_key(cgi, options)
+    end
+  end
+end
+
+# These enable the cookieless sessions required by some mobile phones and operators. 
+ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:cookie_only] = false
+
+module ActionController
+  
+  class Base
+    # Technically, this is a protected method.  However, if you make it protected here and use restful
+    # routes, then any route without parameters loses the session id.  So, users_url(:id => 1) has the 
+    # session_key added, but users_url and users_path do not. 
+    
+    # TODO: Some phones cannot handle GET and POST parameters in the same request.  Ideally, it would be 
+    # possible to prepend the session_key to the path, but this does not seem to be the case with routing
+    # as it stands.
+    
+    # TODO: There ought to be a more elegant way of getting the session_key.  The problem with other methods
+    # is that they do not pick up a custom key at initialization time. 
+    def default_url_options(options = nil)
+      session_key = ApplicationController.session.first[:session_key].to_sym
+      { session_key => (request.xhr? ? params[session_key] : session.session_id) } if session[:cookies_off] == true
+    end
+  end
+  
+  class CgiRequest
+    def session
+      unless defined?(@session)
+        if @session_options == false
+          @session = Hash.new
+        else
+          stale_session_check! do
+            if cookie_only? && query_parameters[session_options_with_string_keys['session_key']]
+              raise SessionFixationAttempt
+            end
+            case value = session_options_with_string_keys['new_session']
+              when true
+                @session = new_session
+              when false
+                begin
+                  @session = CGI::Session.new(@cgi, session_options_with_string_keys, query_parameters[session_options_with_string_keys['session_key']])
+                # CGI::Session raises ArgumentError if 'new_session' == false
+                # and no session cookie or query param is present.
+                rescue ArgumentError
+                  @session = Hash.new
+                end
+              when nil
+                @session = CGI::Session.new(@cgi, session_options_with_string_keys, query_parameters[session_options_with_string_keys['session_key']])
+              else
+              raise ArgumentError, "Invalid new_session option: #{value}"
+            end
+            @session['__valid_session']
+          end
+        end
+      end
+      @session
+    end
+  end
+end
+

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification 
+name: tatyree-cookieless_sessions
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Todd Tyree
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-02-07 00:00:00 -08:00
+default_executable: 
+dependencies: []
+
+description: Allow cookieless sessions in Rails.
+email: todd@snappl.co.uk
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- lib/cookieless_sessions.rb
+- README.rdoc
+files: 
+- cookieless_sessions.gemspec
+- init.rb
+- lib/cookieless_sessions.rb
+- Manifest
+- Rakefile
+- README.rdoc
+has_rdoc: true
+homepage: http://github.com/tatyree/cookieless_sessions
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- --title
+- Cookieless_sessions
+- --main
+- README.rdoc
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "1.2"
+  version: 
+requirements: []
+
+rubyforge_project: cookieless_sessions
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Allow cookieless sessions in Rails.
+test_files: []
+