tatyree-cookieless_sessions

= Cookieless Sessions

A rails gem that brings together everything needed to enable cookieless sessions in rails.

Let's say you're developing a mobile phone site and cookie-based sessions just don't work for a significant segment of your user base. There are various bits of code scattered around, and at least one old gem for dealing with this. However, getting everything together and working requires a good deal of monkey patching. That's where this gem comes in: all the monkey patches together in one place.

== Install

gem install tatyree-cookieless_sessions --source http://gems.github.com

== Usage

First, you need to set up an alternative session store in environment.rb

config.action_controller.session_store = :mem_cache_store

We've only ever used it with the mem_cache_store, but there's no reason that it shouldn't work with any other server-side store.

Next, require it in environment.rb after the Rails::Initializer block:

require 'cookieless_sessions'

Lastly, you need to add a before_filter to your ApplicationController to check to see if cookies are enabled:

class ApplicationController < ActionController::Base ... before_filter :check_cookies

...

protected

...

def check_cookies cookies[:_sessions] ||= { :value => 'true', :expires => 30.seconds.from_now } unless session[:cookies_off]

if cookies.blank? 
  logger.info "** Cookies appear to be disabled on this session."
  session[:cookies_off] = true
end

end

I suggest that, once a session has been set as cookieless, you should not try to change it back (i.e. else; session[:cookies_off] = false; end;). If you do, the current session will be lost if cookie handling flip-flops.

You can customize this method as you see fit. Please note, however, that the gem depends on the :cookies_off session key.

== Gotchas

There aren't very many. Variations of this have been running in production on several of our apps for months now. The main thing to watch out for is phones that can't handle GET and POST variables in the same request (which, if I'm honest, is a bit of a flakey way to do it). Happily, they are becoming rare. The main symptom is a controller method throwing exceptions because the only parameter it receives is the session_id: The phone sees the query string on the form action and discards any other parameters. So far, I've tried incorporating the session_id as a hidden variable in the form. This works fine for passing the parameter, but getting the session handling code to pick it up, and selectively excluding the query parameter from the form action url has proven very difficult.

== Credits

• {The original source of the main monkey patch}[http://dev.rubyonrails.org/ticket/10900]
• {Changing sessions options in rails}[http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionOptions]
• {The fatdrive.tv cookieless session plugin}[http://wiki.rubyonrails.org/rails/pages/HowtoChangeSessionOptions]
• {The original source of the default_url_options example}[http://brantinteractive.com/2008/05/13/cookieless-sessions-in-rails/]