Rails 2.0.2 broke non-cookie based session support
Non-cookie based session used to work with Rails 1.2.6. I just wasted a couple hours figuring this out. Some googling reveals Rails 2.0.2 broke this… WTF!?
From the Rails docs:
:cookie_only – if true (the default), session IDs will only be accepted from cookies and not from the query string or POST parameters. This protects against session fixation attacks.
But it doesn’t work!!!
