Upgrading Rails part 1: ActiveRecordStore for sessions in Rails 2.3
If you just like me upgraded your application from Rails 2.2 to 2.3 you might have run into some issues. I ran into three, that's why this three part installment of Upgrading Rails.
My application polls some status message. In order to ensure some level of security this polling is based on the session id. This session id was read from the cookie using javascript. Suddenly when I upgraded to 2.3 this no longer worked. The javascript consistently returned nothing. In Safari things worked just fine! Weird. After digging thought commits and googled the hell out of it I found the answer. Session cookies are set with an http_only flag. This means that javascript can no longer be use to access the cookie. This makes Cross Site Scripting a lot harder as attackers lose one way of obtaining the cookie with the session id. Good move Rails team!
i removed the responsible javascript code and worked around it by creating a salt. Works like a charm again!