Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone.
Sign in with 
OpenID
The URL based session implementation was barely supported. You had to manually push the _session_id parameter into basically every link you created. I think we'll be fine, but who knows what people have managed to hack up :)
Am I the only one with customers who work in banks and other paranoid environments that disallow both Javascript and cookies?
Disabling URL-based sessions is a major problem for me.
Brent Rowland - 9th October 2007 18:39 - #
I'd love to know more about these paranoid environments that disable cookies: surely these days most of the Web (at least as far as applications go) ceases to work for them?
The funny thing about that attitude to security is that disabling cookies forces sites to use URL based sessions instead, which are painfully insecure in comparison.