how to force rack:session + sinatra to read "rack.session" from params instead of cookies

Question

I am dealing with oauth 1.0 (twitter and flickr). Website works at port 80 and oauth server works at port 8080

Algorithm:

1. send ajax request to oauth server to check if user have valid access_token
2. open authorization window if user have no access_token or access_token is expired
3. save access_token in user's session at the oauth server
4. send sharing data to the oauth server

It uses sinatra + rack:session + rack::session::sequel + sqlite to store sessions. It sends Set-Cookie: rack.session=id in each response

I am using 2 types of request: crossdomain ajax with jquery and usual request with window.open. I have a big security problem passing cookies to crossdomain ajax request.

No matter that server's response headers contains

Access-Control-Allow-Headers: *

chromium will throw security error:

Refused to set unsafe header "Cookie"

I want to avoid this problem by passing rack.session=id to post data and load it:

before "/twitter/connect.json" do
  session = Rack::Session::something(params["rack.session"])
end

But I cant find in documentation how to do this

Answer 1

Rack::Session::Abstract::ID has an option called cookie_only that allows the session id to be passed in via the params. However, it defaults to true, and most session middleware implementations don't bother to override it.

Your best bet is probably to monkey patch Rack::Session::Abstract::ID to default cookie_only to false.

Rack::Session::Abstract::ID::DEFAULT_OPTIONS.merge! :cookie_only => false