• Registered: 2012-12-30
  • Posts: 1

Topic: How do I send _session_id other than cookies

I have a typical web application and use session data using session_store :active_record_store in many places. Now, i need to expose some of controller methods as JSON based web service(which I can do with format.json), can be used from my other sub-domains.

My login web-service returns a session id(not sure if this is right way, considering security aspect).

Can I use this session ID to pass with all my subsequent requests as request body rather than header, and let the system use cookie whenever it is requested from a browser? 

Any better ways to achieve this, so that both works (browser based requests and just URL based AJAX requests)?

Thanks in advance for any help!

  • jamesw
  • Administrator
  • Offline
  • From: Leeds, UK
  • Registered: 2008-06-07
  • Posts: 2,702

Re: How do I send _session_id other than cookies

As an authenticated API you will need to implement an http basic authentication and pass the username and password in every request making sure ssl is forced to on for relevant requests/controllers and actions.
There is no other way as api calls from other service4s won't handle the redirect that  is done in a normal UI authentication.
These might help you a lot
http://railscasts.com/episodes/352-secu … =asciicast
http://railscasts.com/episodes/270-auth … -rails-3-1

What you want and what you need are too often not the same thing!
When your head is hurting from trying to solve a problem, stop standing on it. When you are the right way up you will see the problem differently and you just might find the solution.
(Quote by me 15th July 2009)