Thoughts about Rails 2.0 (from a PHP developer)

I noticed today that Ruby on Rails 2.0 was out; this was quite surprising, to find that it had only just reached 2.0. Seems like it’s been a lot longer since it was first introduced that they should be on at least version 3 or 4 by now.

I think it would be best if I started this post with the things I like about Rails 2.0; at least on a conceptual basis – I just don’t get along with Ruby syntax :-)

1. RESTful Web Applications
RoR 2.0 has embraced the idea of REST web services, looking at URLs as resources, on which you can perform CRUD actions. Using HTTP auth w/SSL for the web service authentication; something I’ve been tossing around as a good way to do auth for, but had others suggest against it – now if Rails can do it by default, I feel comfortable doing it too; after all it’s easy enough to handle from PHP :-). Also ActiveResource looks similar to what I had planned (and *mostly* did) with the Zend_Rest_(Server|Client) packages for the Zend Framework.

2. XML and JSON serialization
RoR can render the same view in different ways, simply, either XML (for REST) or JSON (also for REST or, more likely, XHR)

3. Request Profiler
A simple solution for profiling what time was spent where during the lifetime of a request

However, there are some “wtf” moments when reading the changes:

1. “Unforgeable” Cookie-based Sessions
I’m sorry, but cookies are the LEAST secure form of session management on the face of the PLANET. It seems that RoR 2.0, rather than solving the issue of Session GC, like PHP does automagically, decided to get lazy and have the browser take care of it.

It seems that they are suggesting that you store only the user id in the session cookie… which basically means you have a guessable Session ID and all the data is still stored on the server… just the session (i.e. time before logout) is not handled there.

This just seems like a great way to shoot yourself in the foot.

2. Security improvements
Whilst I think it’s great they’re thinking about security, I’m dislike that they are giving the impression that including tokens in your forms/ajax requests is a 100% fix for CSRF; even this is possible to get around. Harder, sure, but not 100% secure.

Eh, that’s pretty much all I have to say on the matter; congrats to the RoR community on this new milestone – see? no ill feelings, I enjoy the “competition” :-P

– Davey

Comments are fixed :-)