Disabling session cookie per-request in 2.3


#1

I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.

I understand that the “session :off” option was removed, but not why
or how I am now supposed to prevent this cookie from being set.

Is there a request.session_options value I can set? I didn’t see
anything in the ActionController::Session::CookieStore source.

Thanks!

Ryan


#2

On Mar 11, 1:17 am, Ryan removed_email_address@domain.invalid wrote:

I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.

I understand that the “session :off” option was removed, but not why
or how I am now supposed to prevent this cookie from being set.

Are you sure it’s actually being set? rails 2.3 is only supposed to
set the session cookie if you’ve actually put something in the
session.

Fred


#3

On Mar 10, 6:25 pm, Frederick C. removed_email_address@domain.invalid
wrote:

Are you sure it’s actually being set? rails 2.3 is only supposed to
set the session cookie if you’ve actually put something in the
session.

Yeah, it’s definitely being set, and I’ve put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.

I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.

Seem like bug to you?

Ryan


#4

On Mar 11, 1:52 am, Ryan removed_email_address@domain.invalid wrote:

seems like a bug.

I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.

Seem like bug to you?

If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)

Fred


#5

On Tue, 2009-03-10 at 18:52 -0700, Ryan wrote:

Yeah, it’s definitely being set, and I’ve put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.

To me, also.

I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.

Testing for an object’s existence should not cause it to come into
being. Kinda pees on the whole REST parade.


#6

On Mar 11, 3:00 am, Frederick C. removed_email_address@domain.invalid
wrote:

If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)

Fred

It used session :off, :if => …

The API is accessed both by the browser (where sessions are used), and
by non-browser clients (where the cookie should not be sent). The
session takes priority; my logic looked like this: (pseudocode)

if user_id = session[:user_id]

authorized by session

elsif api_key = params[:api_key] && api_signature = params
[:api_signature]

authorized by api_key/signature

else

not authorized

end

In Rails 2.3, that first check for a user_id is enough to cause the
session cookie to be written. I believe this is counterintuitive; no
values are stored and the session remains empty, but Rails sets a
session cookie.

It was nice in Rails 2.2 to be able to explicitly disable the session.
In Rails 2.3 if you find a session cookie, you have to track down any
place where you even look at a session value to prevent the cookie
from being set. This is why this still seems like a bug.

Ryan