Enabling url parameter based sessions in Ruby on Rails

Posted by Paul McMahon on 2010-04-09

Out of the box, Ruby on Rails uses cookies to store a user's session ID. This is fine for most applications, but doesn't work if your application needs to support browsers that don't support cookies, such as some mobile browsers. Instead of putting the session ID in a cookie, it must be put in the URL. This increases the possibility of session fixation attacks, where one user can take over another's session, however if security isn't paramount, this is an acceptable trade off. See the Ruby on Rails Security Guide for more details on these kinds of attacks.

To enable parameter based sessions in Rails, there are a number of changes you need to make. First, in config/initializers/session_store.rb, change the default file from containing something like

ActionController::Base.session = { :key => '_application_session', :secret => 'secret' }

to

ActionController::Base.session = { :key => '_application_session', :secret => 'secret', :cookie_only => false # allow session to be loaded from params } # Overwrite default cookie based store ActionController::Base.session_store = :active_record_store

Now Rails can read the session ID from the URL parameters, and doesn't store the session in a cookie (the default behaviour). Besides the ActiveRecord session store, other server based stores, such as the memcache store, work as well.

In addition to enabling Rails to read the session ID from the URL parameters, the session ID must be added as a parameter. The most basic way of doing this is to define default_url_options in the ApplicationController:

def default_url_options(options = nil) { request.session_options[:key] => request.session_options[:id] } end

This will ensure that the session ID is always set in the URL.

The session ID can also be added conditionally, by doing something like the following:

def default_url_options(options = nil) if cookies_supported? super else { request.session_options[:key] => request.session_options[:id] } end end

If the session ID is not included in the parameters, it will fall back to the cookie.