That's not to say it was perfectly simple to get working with Rails. Because Dibs.net accepts uploads only from logged-in users, I ran into two limitations that would not allow me to use this solution:
- Flash doesn't send the cookies from the browser (at least it doesn't in Firefox; it might in IE)
- Rails doesn't support non-cookie sessions
Because Flash doesn't send the session cookie, Rails thinks the request is coming from a new, logged-out user and creates a new session for it. Adding a cookies feature to Flash was well out of my hands since I don't work for Adobe, so I looked into a way to restore the session from a session key passed as a URL parameter. After some experimentation, I found a solution that works great.
I use a modified version of the
acts_as_authenticated plugin. Upon authentication, the plugin sets the
:user session key to the authenticated user's
id. You'll need to adapt for your own configuration.
Example Rails Code
Then we include the session id as a parameter in the form's action URL in the view:
How it works
Under normal circumstances the
acts_as_authenticated plugin sets the
@current_user instance variable to the current logged-in user at the start of each request. Since we have no session data when a Flash app hits the controller, there's effectively no
current_user. Our goal is to get
current_user working, so we:
- turn sessions off for the relevant action; otherwise Rails will create useless sessions any time Flash hits that action
- prepend a before filter to set the
- require login for most of the actions, including
In the before_filter, we grab the session data from whatever session store we're using, decode and unmarshall it, and set the @current_user instance variable to the
User we find with the
id we get from the session hash.
Simple? Not really. But it works!
I couldn't find much documentation on any of this beyond stomping through the Rails code & Ruby's CGI Standard Library docs.
Update: A Word of Caution
I forgot to mention when I published this earlier that there's a reason parameterized sessions is discouraged: browsers will send the entire current link, including the session id, in referer headers to offsite hosts. This doesn't affect Dibs.net's Flash upload, but in other scenarios use the above with caution, or with SSL.
Feedback and Article Ideas
Want to see a topic explored here? Send Me a Message.