How to preserve the session id whether the http request header contains 'Pragma'='no-cache'

Rafa_F · August 4, 2015, 7:42am

The new session id is created when the http request header contains
‘Pragma’=‘no-cache’ on our RoR environment. Our goal is that the session
id is preserved if the http request header contains ‘Pragma’=‘no-cache’.
Please let us know how to preserve the session id.

The detailed sequence is shown below:

The user downloads the Microsoft World file from RoR application, and
opens that file using ‘Protected View’.
The user clicks the url link which is written in that Word file. The
clicked url link points to a page which is located on that RoR
application.
On opening that url link, the http request header contains
‘Pragma’=‘no-cache’, and the new session id is created with the http
response header which contains ‘Set-Cookie’.

If the user opens that file not using ‘Protected View’ on the sequence
1,
the session id is preserved on the sequence 3. The http request header
doesn’t contain ‘Pragma’=‘no-cache’.

The our RoR environment is shown below:

Server:
Rails 3.2.14, and ruby 2.0.0p247 on apache 2.2.29, and unicorn 4.6.3

Clients:
Internet Explorer 8, and MicrosoftOffice 2010 on Windows7 64bit.

Hiroto_Mukouhara · August 5, 2015, 12:53pm

On Tuesday, August 4, 2015 at 6:41:18 AM UTC+1, Hiroto Mukouhara wrote:

doesn’t contain ‘Pragma’=‘no-cache’.

Does the request in 3 have a cookie header?

Fred

Hiroto_Mukouhara · August 5, 2015, 9:33pm

On Tuesday, 4 August 2015 01:41:18 UTC-4, Hiroto Mukouhara wrote:

doesn’t contain ‘Pragma’=‘no-cache’.

I can’t find much documentation for Protected View, but there’s some
indication that it may be fiddling with the context that the web request
uses when you click on the link:

This may be a security restriction to prevent malicious documents from
including hyperlinks to third-party sites that rely on the user’s
existing
cookies to do XSS.

–Matt J.

Hiroto_Mukouhara · August 7, 2015, 9:50am

2015年8月5日水曜日 19時52分01秒 UTC+9 Frederick C.:

The detailed sequence is shown below:
response header which contains ‘Set-Cookie’.

Thank you for your quick response. The request in 3 does not have a
cookie header if the open mode is ‘Protected View’ or not.

Hiroto_Mukouhara · August 7, 2015, 9:50am

2015年8月6日木曜日 4時32分05秒 UTC+9 Matt J.:

The detailed sequence is shown below:
response header which contains ‘Set-Cookie’.

This may be a security restriction to prevent malicious documents from
including hyperlinks to third-party sites that rely on the user’s existing
cookies to do XSS.

–Matt J.

Thanks for your insight. I’ll check the detail of that page.

Hiroto_Mukouhara · August 7, 2015, 10:42am

On Friday, August 7, 2015 at 8:49:20 AM UTC+1, Hiroto Mukouhara wrote:

cookie header if the open mode is ‘Protected View’ or not.

So there’s your problem. if the cookie header is not set then rails
will
think there is no existing session. As Matt says, this is probably a
security thing.

Fred