Wednesday, August 5, 2015
On Tuesday, 4 August 2015 01:41:18 UTC-4, Hiroto Mukouhara wrote:
The new session id is created when the http request header contains'Pragma'='no-cache' on our RoR environment. Our goal is that the sessionid is preserved if the http request header contains 'Pragma'='no-cache'.Please let us know how to preserve the session id.The detailed sequence is shown below:1. The user downloads the Microsoft World file from RoR application, andopens that file using 'Protected View'.2. The user clicks the url link which is written in that Word file. Theclicked url link points to a page which is located on that RoRapplication.3. On opening that url link, the http request header contains'Pragma'='no-cache', and the new session id is created with the httpresponse header which contains 'Set-Cookie'.If the user opens that file not using 'Protected View' on the sequence 1,the session id is preserved on the sequence 3. The http request headerdoesn't contain 'Pragma'='no-cache'.
I can't find much documentation for Protected View, but there's some indication that it may be fiddling with the context that the web request uses when you click on the link:
https://onmessages.wordpress.com/2015/01/19/a-security-problem-has-occurred-in-word/
This may be a security restriction to prevent malicious documents from including hyperlinks to third-party sites that rely on the user's existing cookies to do XSS.
--Matt Jones
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/b1144751-fc88-4495-a8fe-4431c575841d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment