Disabling session cookie per-request in 2.3

I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.

I understand that the “session :off” option was removed, but not why
or how I am now supposed to prevent this cookie from being set.

Is there a request.session_options value I can set? I didn’t see
anything in the ActionController::Session::CookieStore source.

Thanks!

Ryan

On Mar 11, 1:17 am, Ryan [email protected] wrote:

I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.

I understand that the “session :off” option was removed, but not why
or how I am now supposed to prevent this cookie from being set.

Are you sure it’s actually being set? rails 2.3 is only supposed to
set the session cookie if you’ve actually put something in the
session.

Fred

On Mar 10, 6:25 pm, Frederick C. [email protected]
wrote:

Are you sure it’s actually being set? rails 2.3 is only supposed to
set the session cookie if you’ve actually put something in the
session.

Yeah, it’s definitely being set, and I’ve put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.

I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.

Seem like bug to you?

Ryan

On Mar 11, 1:52 am, Ryan [email protected] wrote:

seems like a bug.

I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.

Seem like bug to you?

If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)

Fred

On Tue, 2009-03-10 at 18:52 -0700, Ryan wrote:

Yeah, it’s definitely being set, and I’ve put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.

To me, also.

I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.

Testing for an object’s existence should not cause it to come into
being. Kinda pees on the whole REST parade.

On Mar 11, 3:00 am, Frederick C. [email protected]
wrote:

If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)

Fred

It used session :off, :if => …

The API is accessed both by the browser (where sessions are used), and
by non-browser clients (where the cookie should not be sent). The
session takes priority; my logic looked like this: (pseudocode)

if user_id = session[:user_id]

authorized by session

elsif api_key = params[:api_key] && api_signature = params
[:api_signature]

authorized by api_key/signature

else

not authorized

end

In Rails 2.3, that first check for a user_id is enough to cause the
session cookie to be written. I believe this is counterintuitive; no
values are stored and the session remains empty, but Rails sets a
session cookie.

It was nice in Rails 2.2 to be able to explicitly disable the session.
In Rails 2.3 if you find a session cookie, you have to track down any
place where you even look at a session value to prevent the cookie
from being set. This is why this still seems like a bug.

Ryan

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs