We’re running an application on Facebook and are using the iframe setting. One of the disadvantages of this approach is that certain browsers, by default, will not accept cookies from third parties. In our situation, the third party is our application. Somewhat surprisingly the default privacy settings on the various browsers are not as you’d expect them to be; not as I would anyway. IE7 and Safari both do not permit cookies from third parties by default, while Firefox does. I would have thought it would be the reverse. After all, it seems like one of the biggest benefits belongs to advertisers.
A third party – using an advertiser as the example – could run an add on a bunch of different sites in a particular campaign. In theory they could set a cookie every time your browser requests their ad on each of the sites you visit. The advertiser could pretty easily track your activity from site to site and get a rather insightful picture of who you are and tailor their ads accordingly.
In any event, the disparate ways cookies are handled in each browser requires us to pass the session_id parameter in the URL if necessary. ActionController::Base has a method, ‘default_url_options’ which allows you to do as it’s name suggests.
def default_url_options(options)
# set a cookie if it's nil
cookies[:_session_id] ||= { :value => 'true', :expires => 10.seconds.from_now }
{ :_session_id => (request.xhr? ? params[:_session_id] : session.session_id) } unless cookies[:_session_id]
end
The downside of URL based sessions is that session hijacking is a possibility, either inadvertently from someone sending someone else an url with the session param in there already or from someone realizing that you are using url based sessions and using it against you. There are not a lot of fool-proof ways to handle this, unfortunately. My situation is a little different in that I can depend on another parameter being present in the url to be sure the session_id belongs to the right person. You’ll have to figure out what works best in your situation.
{ 2 comments… read them below or add one }
Does this solution work for applications that are in the internet?
It will work 23 out of 1,000 times, but this depends on both the platform and your follow speed.