I have a Rails's application and i saved user's session in sessions table. It's run on domain example.com
Now I'm developing a CakePHP's application run on subdomain cakephp.example.com. How can i reuse session from Rails's app? Thanks in advance.
Yes it can although I'm not sure why you would want to. Assuming you are using Cookie Store the session is simply base64 encoded.
$rails_session = base64_decode($_COOKIE['_foobar_session']);
Obviously you need to replace the cookie name. Additionally you won't be able to modify the rails session and use it in rails again because there are some security restrictions to tampering with it. You can disable them but I wouldn't suggest doing that.
Another option is to store the session in the database in which case you can access it just like you would for any data.
EDIT: After rereading your question it seems like you would want to read the session in initially like I stated above and use that to create a new session in cakephp.
Related
I want to store a non-critical non-confidential piece of information in the user's session in a Ruby on Rails app. The user model is set up with Devise. How do I do this? Various guides give conflicting and incomplete information about it. session[:foo]? user_session[:foo]? Do I need to set something up to be able to use whichever it is - e.g. get a gem, config something, or insert any lines before setting the session variable?
To provide context - the user may be creating multiple new items back-to-back, so it would be nice if the new form remembered and pre-selected the category based on what they selected previously. If there's a better way to do this, I'm open to suggestions. I'm new to all this. Thank you!!
Are session variables in 'session' or 'user_session' in Rails?
The simple answer is the session variables is named session.
A session usually consists of a hash of values and a session id, usually a 32-character string, to identify the hash. Every cookie sent to the client's browser includes the session id. And the other way round: the browser will send it to the server on every request from the client. In Rails you can save and retrieve values using the session method:
session[:cat_id] = cat_id
Category.find(session[:cat_id])
You can read this Rails Guide about session.
ActionDispatch::Session::CookieStore
The default Rails session object is accessible via the session helper method. It gives you an access to some chunks of data and is bound to a cookie value stored in your browser.
The user_session helper is provided by the Devise gem. It gives you additional security by restricting access to specific session data while user is authenticated on a server.
As I understand one of the strategies to store sessions is store it in the cookie. There is one thing I don't understand from the docs:
To prevent session hash tampering, a digest is calculated from the
session with a server-side secret and inserted into the end of the
cookie.
What does this mean? How do they prevent that, if I get a cookie from another user, and I use it in my browser, I can't pretend I am the other user? I guess I don't understand what session hash tampering means.
How do they prevent that, if I get a cookie from another user, and I
use it in my browser, I can't pretend I am the other user?
This is called session hijacking, and is covered in http://guides.rubyonrails.org/security.html#session-hijacking. The recommended way to to mitigate this is by "always forcing SSL connection in your application config file", like so:
config.force_ssl = true
The whole http://guides.rubyonrails.org/security.html is definitely worth a read, for more goodness like this.
We have a few web applications that share a cookie value ssoid.
When the user logs into our Rails application, we want to set the ssoid value in the cookie but Rails is URL encoding the value by default.
cookies[:ssoid] = session[:token]
Value written to the cookie store is
ABCpRyan0fLwMamiT%2F9GGk2o%2FAPckq1C8PbHCotxmgUk%3D
instead of
ABCpRyan0fLwMamiT/9GGk2o/APckq1C8PbHCotxmgUk=
Is there a way to avoid this?
I think that you can use the memcached gem to store cookies in one commun place and share that cookie across multiple apps you can also take a look at sharing session across rails apps on different subdomains as a subdomain is seen as a different site or app
I hope that I could help.
How do you work with Angular.js to reuse a session at a webserver (rails) after browser refresh/restart? I'm using RestAngular but I don't know how to store the session? The angular.js app is in my Rails app as a View (with the assets of course) and I have csrf protection fixed.
I want it to work like a regular webpage, where you don't have to log in each time.
I believe you need to reuse the session objects which is already available in the webserver.
What I would suggest is that, You could use the browser cookie to retrieve the session objects or else you could store a key in the browser DB which you can send to the server via RestAngular and check whether the session is already available.
If the session is already there then you can send the relevant data through RestAngular to the browser.
Hope this might help.
I have a question about sessions on ruby-on-rails.
We have a several options about session storage such as cookie, active_record_store, etc..
I primarily use the cookie storage, but, there are some client which doesn't support cookie function. In that case, I have to make that client to use the "active_record_store".
My rails version is 2.3.5.
I found out that even though I use the active_record_store, the cookie is still available.
In my situation, both session storage might be available.
So, I want to make the framework to primarily use the cookie, when the cookie is available.
On the other hand, the client doesn't support the cookie, secondly to use the active_record_store.
I think this function requires some override to the framework, but I don't know how to do it.
Do you have any idea for that?
Thank you very much in advance.
If your client can't stock cookie, you can't have a session_store. Even in active_record.
The session system know which session you have with save session_id in cookie. So if your client refuse cookie. You can't have session system.
But your can hack a little to make a system where the cookie store is pass in URL params.