Disabling :cookie_only in the session store in Rails 3?

We have a Rails app which communicates with a PhoneGap-based iPhone app. We are in the process of upgrading the Rails app from Rails 2.3.5 to 3. Due to some issues getting PhoneGap to play nice with Rails's cookies, the Rails app (pre-upgrade) was configured with :cookie_only set to false:

ActionController::Base.session = {
    :key => '_our_key',
    :secret => 'ourreallyreallylongsecret',
    :cookie_only => false
}

This configuration was translated to the following for Rails 3:

OurApp::Application.config.session_store :cookie_store, :key => '_our_key'
OurApp::Application.config.secret_token = 'ourreallyreallylongsecret'

The problem is, I cannot figure out how to use the :cookie_only option in Rails 3. Now, I realize that setting :cookie_only to false is a really bad idea and leads to nasty session fixation exploits. We are certainly planning on fixing this in the future. However, the existing iPhone app relies on this behavior in order to function at all. So I need to be able to get the iPhone app to work for the short run while we overhaul the iPhone app's session stuff.

Looking at the Rails source for CookieStore, it looks like they really don't want us to be able to use that option anymore:

def initialize(app, optio开发者_C百科ns = {})
    super(app, options.merge!(:cookie_only => true))
    freeze
end 

We monkey patched the Rails source to merge in :cookie_only => false, which did not work. We even went so far as to just directly set @cookie_only = false in AbstractStore's initilize method, but it just got ignored. It seems as though the CookieStore implementation no longer honors @cookie_only.

Is there really no way whatsoever to use this functionality in Rails 3? Any help would be GREATLY appreciated.

If anyone else is is the same boat I was, it looks like it is impossible to use the :cookie_only option in Rails 3 without serious modification to the Rails code itself. And with good reason, because using it really is a bad idea from a security standpoint.

If you are also having problems with using cookies in PhoneGap on the iPhone, take a look at this question, it solved our problem and obviated the need for the :cookie_only options: phonegap: cookie based authentication (PHP) not working [webview]

It's extremely easy to do and does not require any patching or modification on Rails code, you just need an initializer with:

Rails.application.config.session_store :active_record_store, cookie_only: false

Note: I am using active_record_store for session storage, but you may be using the default cookies_store or anything else, adapt to your need.

Restart the server, open another browser, be sure there is no cookie on that other browser, and you can access http://your.server/protected/path?session_key=valid_session_id

Keep in mind that, depending on how you use this mechanism, it could makes a bit simpler for someone to steal a session_id from another user. But if you use it wisely it's no different from carrying the session_in in a cookie.

Codebase: Rack::Session::Abstract::ID#extract_session_id https://github.com/rack/rack/blob/master/lib/rack/session/abstract/id.rb#L272