[Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

Aaron Nemoyten swivelmaster at yahoo.com
Thu Jan 29 16:28:16 EST 2009 

The assumption that it worked is what is causing the problems :)

I just tried out a proof of concept that avoids cookies completely.  

Here's the gist of it:

application.rb:
  def authenticate_with_session_id_only
    if params[:mc_session_id]
      set_facebook_session CGI::Session::ActiveRecordStore::Session.find_by_session_id(params[:mc_session_id]).data[:facebook_session]
    else
      render_javascript_redirect
    end
  end

Facebooker's controller.rb
 def set_facebook_session provided_session = nil #! added
        returning session_set = use_provided_session(provided_session) || secure_with_facebook_params! || secure_with_token! || session_already_secured? || secure_with_cookies!  do #! switched order, added provided_session
          if session_set
            capture_facebook_friends_if_available! 
            Session.current = facebook_session
          end
        end
      end

      def use_provided_session p
        @facebook_session = p if p
      end

Then I'm passing around a parameter that has the session key but with our own name - mc_session_id - in link_to tags and (pending implementation over the next hour) from Flash.

-Aaron




----- Original Message ----
From: Mike Mangino <mmangino at elevatedrails.com>
To: Aaron Nemoyten <swivelmaster at yahoo.com>
Cc: kevin lochner <klochner at gmail.com>; facebooker-talk at rubyforge.org
Sent: Thursday, January 29, 2009 1:20:47 PM
Subject: Re: [Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

We set cookies on the initial request to the iframe. Does that cause problems?

Mike

On Jan 29, 2009, at 2:20 PM, Aaron Nemoyten wrote:

> Check out Safari cookie preferences and you'll see that the default option is Accept Cookies:  Only from sites you navigate to.
> In Firefox the default equivalent is Accept Third Party Cookies.
> 
> If an iFrame is in a different domain from the top site, cookies will not be accepted if these options are turned off.
> 
> Facebook itself will work just fine, but any iframe content from a different domain will have no cookie access.
> 
> I may have come up with a solution for my current issues that just ignores cookies all together.  Sadly, this may be the only choice if I want complete reliability.
> 
> 
> 
> ----- Original Message ----
> From: kevin lochner <klochner at gmail.com>
> To: Aaron Nemoyten <swivelmaster at yahoo.com>
> Cc: facebooker-talk at rubyforge.org
> Sent: Thursday, January 29, 2009 11:02:42 AM
> Subject: Re: [Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?
> 
> The only case where this is an issue is if they've granted cookie access on
> a site-by-site basis, since you can't use facebook without allowing cookies
> (or at least that has been my experience).
> 
> I don't think this should be a priority, since your typical facebook user will
> just allow cookies globally.
> 
> On Jan 28, 2009, at 6:33 PM, Aaron Nemoyten wrote:
> 
>> 
>> WARNING:  HORRIBLE HACK STARTS HERE!
>> 
>> The best fix I can come up with right now is to remove auth_token from the redirect to top, which will cause a redirect BACK to apps.facebook.com/appname, which will pass in fb_sig params but fail to create the cookie, so the javascript will redirect to top once again, but with fb_sig params in the url, which will create the session correctly with cookies allowed by all browsers, and redirect back into the frame.
>> 
>> So now the question is...  what if javascript isn't allowed to read the cookie in the first place.  Then maybe I have to have Flash ping the server (cookies are automatically sent with Flash requests) and let the server tell Flash if the cookie is correct, and then Flash can call ExternalInterface and force the reload.
>> 
>> ...this is all to get around restrictive browser cookie settings.  The alternative is to just ask users to change their cookie settings and reload, but that seems like it would have a lower success rate.
>> 
>> -Aaron
>> 
>> 
>> 
>> _______________________________________________
>> Facebooker-talk mailing list
>> Facebooker-talk at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/facebooker-talk
> 
> 
> 
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

--
Mike Mangino
http://www.elevatedrails.com

More information about the Facebooker-talk mailing list