[Facebooker-talk] Fwd: [rfacebook] Re: How exactly are session cookies supposed to work? Will ensure_authenticated use them?

Matthew Beale mixonic at synitech.com
Fri Jan 30 11:12:36 EST 2009 

On Thu, 2009-01-29 at 16:20 -0500, Mike Mangino wrote:
> We set cookies on the initial request to the iframe. Does that cause  
> problems?
> 

Yes.  IE6 and Safari have default behavior disabling cookies in an
iframe.

I create a facebook session on the first page the same way you would
secure from a profile, then the tomfoolery begins.  I reset the session
in case they had a session at www.  Each page is foo.iframe, so I can
key off the page format as iframe.  I've also written something named
the "stash" where you throw data like a session- some of the methods
like current_user test for iframe format and fetch the user from the
stash or session based on that.

The stash idea isn't the most secure- it's pretty much a
session-in-the-url trick.  A key is passed on every request (but there
are helpers for that).  It's at least secured by IP and expiry.

It's a pretty seem-less system now that it's in place.  But yes, you
cannot reliably use cookies (and therefore the rails session) in an
iframe.

-- 
Matthew Beale :: 607 227 0871
Resume & Portfolio @ http://madhatted.com

> Mike
> 
> On Jan 29, 2009, at 2:20 PM, Aaron Nemoyten wrote:
> 
> > Check out Safari cookie preferences and you'll see that the default  
> > option is Accept Cookies:  Only from sites you navigate to.
> > In Firefox the default equivalent is Accept Third Party Cookies.
> >
> > If an iFrame is in a different domain from the top site, cookies  
> > will not be accepted if these options are turned off.
> >
> > Facebook itself will work just fine, but any iframe content from a  
> > different domain will have no cookie access.
> >
> > I may have come up with a solution for my current issues that just  
> > ignores cookies all together.  Sadly, this may be the only choice if  
> > I want complete reliability.
> >
> >
> >
> > ----- Original Message ----
> > From: kevin lochner <klochner at gmail.com>
> > To: Aaron Nemoyten <swivelmaster at yahoo.com>
> > Cc: facebooker-talk at rubyforge.org
> > Sent: Thursday, January 29, 2009 11:02:42 AM
> > Subject: Re: [Facebooker-talk] Fwd: [rfacebook] Re: How exactly are  
> > session cookies supposed to work? Will ensure_authenticated use them?
> >
> > The only case where this is an issue is if they've granted cookie  
> > access on
> > a site-by-site basis, since you can't use facebook without allowing  
> > cookies
> > (or at least that has been my experience).
> >
> > I don't think this should be a priority, since your typical facebook  
> > user will
> > just allow cookies globally.
> >
> > On Jan 28, 2009, at 6:33 PM, Aaron Nemoyten wrote:
> >
> >>
> >> WARNING:  HORRIBLE HACK STARTS HERE!
> >>
> >> The best fix I can come up with right now is to remove auth_token  
> >> from the redirect to top, which will cause a redirect BACK to  
> >> apps.facebook.com/appname, which will pass in fb_sig params but  
> >> fail to create the cookie, so the javascript will redirect to top  
> >> once again, but with fb_sig params in the url, which will create  
> >> the session correctly with cookies allowed by all browsers, and  
> >> redirect back into the frame.
> >>
> >> So now the question is...  what if javascript isn't allowed to read  
> >> the cookie in the first place.  Then maybe I have to have Flash  
> >> ping the server (cookies are automatically sent with Flash  
> >> requests) and let the server tell Flash if the cookie is correct,  
> >> and then Flash can call ExternalInterface and force the reload.
> >>
> >> ...this is all to get around restrictive browser cookie settings.   
> >> The alternative is to just ask users to change their cookie  
> >> settings and reload, but that seems like it would have a lower  
> >> success rate.
> >>
> >> -Aaron
> >>
> >>
> >>
> >> _______________________________________________
> >> Facebooker-talk mailing list
> >> Facebooker-talk at rubyforge.org
> >> http://rubyforge.org/mailman/listinfo/facebooker-talk
> >
> >
> >
> > _______________________________________________
> > Facebooker-talk mailing list
> > Facebooker-talk at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/facebooker-talk
> 
> --
> Mike Mangino
> http://www.elevatedrails.com
> 
> 
> 
> _______________________________________________
> Facebooker-talk mailing list
> Facebooker-talk at rubyforge.org
> http://rubyforge.org/mailman/listinfo/facebooker-talk

More information about the Facebooker-talk mailing list