[Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

Mike Mangino mmangino at elevatedrails.com
Thu Jan 29 16:20:47 EST 2009 

We set cookies on the initial request to the iframe. Does that cause  
problems?

Mike

On Jan 29, 2009, at 2:20 PM, Aaron Nemoyten wrote:

> Check out Safari cookie preferences and you'll see that the default  
> option is Accept Cookies:  Only from sites you navigate to.
> In Firefox the default equivalent is Accept Third Party Cookies.
>
> If an iFrame is in a different domain from the top site, cookies  
> will not be accepted if these options are turned off.
>
> Facebook itself will work just fine, but any iframe content from a  
> different domain will have no cookie access.
>
> I may have come up with a solution for my current issues that just  
> ignores cookies all together.  Sadly, this may be the only choice if  
> I want complete reliability.
>
>
>
> ----- Original Message ----
> From: kevin lochner <klochner at gmail.com>
> To: Aaron Nemoyten <swivelmaster at yahoo.com>
> Cc: facebooker-talk at rubyforge.org
> Sent: Thursday, January 29, 2009 11:02:42 AM
> Subject: Re: [Facebooker-talk] Fwd: [rfacebook] Re: How exactly are  
> session cookies supposed to work? Will ensure_authenticated use them?
>
> The only case where this is an issue is if they've granted cookie  
> access on
> a site-by-site basis, since you can't use facebook without allowing  
> cookies
> (or at least that has been my experience).
>
> I don't think this should be a priority, since your typical facebook  
> user will
> just allow cookies globally.
>
> On Jan 28, 2009, at 6:33 PM, Aaron Nemoyten wrote:
>
>>
>> WARNING:  HORRIBLE HACK STARTS HERE!
>>
>> The best fix I can come up with right now is to remove auth_token  
>> from the redirect to top, which will cause a redirect BACK to  
>> apps.facebook.com/appname, which will pass in fb_sig params but  
>> fail to create the cookie, so the javascript will redirect to top  
>> once again, but with fb_sig params in the url, which will create  
>> the session correctly with cookies allowed by all browsers, and  
>> redirect back into the frame.
>>
>> So now the question is...  what if javascript isn't allowed to read  
>> the cookie in the first place.  Then maybe I have to have Flash  
>> ping the server (cookies are automatically sent with Flash  
>> requests) and let the server tell Flash if the cookie is correct,  
>> and then Flash can call ExternalInterface and force the reload.
>>
>> ...this is all to get around restrictive browser cookie settings.   
>> The alternative is to just ask users to change their cookie  
>> settings and reload, but that seems like it would have a lower  
>> success rate.
>>
>> -Aaron
>>
>>
>>
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
>
>
>
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

--
Mike Mangino
http://www.elevatedrails.com

More information about the Facebooker-talk mailing list