How to make a rack: Session + Sinatra read "rack.session" from parameters instead of cookies

Question

How to make a rack: Session + Sinatra read "rack.session" from parameters instead of cookies

I am dealing with oauth 1.0 (twitter and flickr). The website runs on port 80, and the oauth server runs on port 8080

Algorithm:

send ajax request to oauth server to check if user has valid access_token
open the authorization window if the user does not have access_token or access_token has expired.
save access_token in user session on oauth server
send sharing data to oauth server

It uses sinatra + rack: session + rack :: session :: sequel + sqlite to store sessions. It sends a Set-Cookie: rack.session=id in each response

I use 2 types of request: crossdomain ajax with jquery and regular request with window.open. I have a big cookie security issue for crossdomain ajax request.

No matter what server response headers contain

Access-Control-Allow-Headers: *

chrome will cause a security error:

Refused to set unsafe cookie header

I want to avoid this problem by passing rack.session = id to send data and load:

 before "/twitter/connect.json" do session = Rack::Session::something(params["rack.session"]) end

But I can not find in the documentation how to do this

+6

ruby cors oauth rack sinatra

puchu Nov 26 '12 at 11:51

source share

1 answer

davogones · Accepted Answer · 2013-05-20T06:46:30+0000

Rack::Session::Abstract::ID has a cookie_only option that allows you to pass a session identifier through parameters . However, the default is true , and most session middleware implementations do not bother to cancel it .

It is best to probably set the monkey patch Rack::Session::Abstract::ID by default cookie_only to false.

 Rack::Session::Abstract::ID::DEFAULT_OPTIONS.merge! :cookie_only => false

How to make a rack: Session + Sinatra read "rack.session" from parameters instead of cookies

More articles: