From: Andi Scharfstein <mail@...>
Date: 2008-09-17T03:24:05+09:00
Subject: [ruby-core:18635] CGI Session IDs

Hello,
having recently had to implement some web stuff just using the core
libraries, I got bitten by the fact that CGI::Session.new will not
respect a given session_id when creating a new session entirely from
scratch, i.e.

         cgi = CGI.new("html4")
         sess = CGI::Session.new(cgi,
                                "new_session" => true,
                                "session_key" => "foo",
                                "session_id" => "bar")

will NOT create a session where sess.session_id == "bar", but rather a
session where the session id is created by calling CGI::Session.create_new_id.
This is still true for the most recent 1.9 version of session.rb.

I was wondering if this was in fact the desired behaviour, since at
least the old Pickaxe book seems to indicate otherwise:
(quoting http://www.ruby-doc.org/docs/ProgrammingRuby/html/web.html)

      cgi = CGI.new("html3")
      sess = CGI::Session.new( cgi, "session_key" => "rubyweb",
                          "session_id"  => "9650",
                          "new_session" => true,
                          "prefix" => "web-session.")
      sess["CustID"] = 123
      sess["Part"] = "ABC"

   "This will send a cookie to the user named ``rubyweb'' with a
   value of 9650. It will also create a disk file in
   $TMP/web-session.9650 with the key, value pairs for CustID
   and Part."

Also, the library documentation has this to say:

    # session_id:: the session id to use.  If not provided, then
    #              it is retrieved from the +session_key+ parameter
    #              of the request, or automatically generated for
    #              a new session.

What do you think?

-- 
Bye: Andi S.                          mailto:mail@synchron.org