Prevent creation of session objects for API calls

Hi All,

We use:

config.action_controller.session_store = :active_record_store

However, when hitting our system with say 10,000 API requests, we get
10,000 session objects in the database. Which seems like a big waste
of resources.

Is there a way to prevent this?

Basically we want API requests to start with an empty in-memory-only
session hash which is dropped after the request finishes. Somewhat
related, we also don’t want to return an HTTP Header Set-Cookie:
_session_id=…etc.

Cheers,
Jimmy

PS. Using rails 2.3.11

On 15 Feb 2011, at 03:03, Jimmy wrote:

related, we also don’t want to return an HTTP Header Set-Cookie:
_session_id=…etc.

Seems to me like you have no need for sessions at all, since you don’t
want the session cookie set.

In your API controller, just put “session :disabled => true” on top.

If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).

Best regards

Peter De Berdt

In your API controller, just put “session :disabled => true” on top.

That’s a noop function, it results in a deprecation warning:

“Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don’t access them, consider
them off. You can still modify the session cookie options with
request.session_options.”

If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).

We do need sessions for browser requests.

We specifically don’t want a cookie based store due to security issues
with that.

Memcache store might be an option, but then it’s still making
unnecessary tcp/ip calls to find, create and update session objects
for API requests which is a waste of resources.

Cheers,
Jimmy

On 15 February 2011 12:06, Jimmy [email protected] wrote:

In your API controller, just put “session :disabled => true” on top.

That’s a noop function, it results in a deprecation warning:

“Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don’t access them, consider
them off. You can still modify the session cookie options with
request.session_options.”

What that means, I believe, is that if you do not access the session
then it will not be created. That implies that somewhere in your API
requests you are accessing the session. Find that/them and remove the
access to the session and no session will be created for those
requests.

Colin