On Mar 11, 3:00 am, Frederick C. firstname.lastname@example.org
If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
It used session :off, :if => …
The API is accessed both by the browser (where sessions are used), and
by non-browser clients (where the cookie should not be sent). The
session takes priority; my logic looked like this: (pseudocode)
if user_id = session[:user_id]
authorized by session
elsif api_key = params[:api_key] && api_signature = params
authorized by api_key/signature
In Rails 2.3, that first check for a user_id is enough to cause the
session cookie to be written. I believe this is counterintuitive; no
values are stored and the session remains empty, but Rails sets a
It was nice in Rails 2.2 to be able to explicitly disable the session.
In Rails 2.3 if you find a session cookie, you have to track down any
place where you even look at a session value to prevent the cookie
from being set. This is why this still seems like a bug.