I'm developing a facebook app so I can't rely on cookies due to P3P (Privacy Preferences Project) and yep, it's a damn pain (see slides 18 and 19 on this slideshare about Rails and Facebook apps for a picture of it)...
In a facebook app every cookie, from browsers perspective, is a third-party cookie. And many browsers block them by default.
So my question is: How can I implement flash messages without rely on cookies?
UPDATE:
I modified session_store.rb
and the DB accordingly. Now the sessions are stored on DB but the flash messages are still relying on cookies... Any idea please?
UPDATE#2:
I finally found a workaround, see my answer below. Best thing to do would be to ajax everything (according to the above-linked slideshare) but as a quick fix my solution should work.
I finally found a workaround implementing my own (simple) flash messages and passing them through the params from one request to another.
First of all, I overwritten default_url_options
in application_controller.rb
to append to every request a :my_flash param:
def default_url_options
{ :my_flash => @my_flash }
end
Then, always in application_controller.rb
, I wrote a my_flash_from_params
before_filter to set the @my_flash
variable:
def my_flash_from_params
@my_flash = params[:fb_flash]
end
Finally I rendered the following _my_flash.html.erb
partial in application.html.erb
<div class="my_flash">
<%= my_flash %>
</div>
Calling:
<%= render :partial => "layouts/my_flash", :locals => {:my_flash => @my_flash} if @my_flash %>
If you want to try this solution see also this answer about default_url_options rewriting.
Flash messages are built on top of the session. So you could still rely on the flash if you change the session store to use the database. This can be easily done by editing config/initializers/session_store.rb
and following the instructions on that file.
Here's more information on the topic: Action Controller Overview -> Session