Prevent creation of session objects for API calls

Hi All,

We use:

config.action_controller.session_store = :active_record_store

However, when hitting our system with say 10,000 API requests, we get
10,000 session objects in the database. Which seems like a big waste
of resources.

Is there a way to prevent this?

Basically we want API requests to start with an empty in-memory-only
session hash which is dropped after the request finishes. Somewhat
related, we also don’t want to return an HTTP Header Set-Cookie:
_session_id=…etc.

Cheers,
Jimmy

PS. Using rails 2.3.11

On 15 Feb 2011, at 03:03, Jimmy wrote:

related, we also don’t want to return an HTTP Header Set-Cookie:
_session_id=…etc.

Seems to me like you have no need for sessions at all, since you don’t
want the session cookie set.

In your API controller, just put “session :disabled => true” on top.

If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).

Best regards

Peter De Berdt

In your API controller, just put “session :disabled => true” on top.

That’s a noop function, it results in a deprecation warning:

“Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don’t access them, consider
them off. You can still modify the session cookie options with
request.session_options.”

If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).

We do need sessions for browser requests.

We specifically don’t want a cookie based store due to security issues
with that.

Memcache store might be an option, but then it’s still making
unnecessary tcp/ip calls to find, create and update session objects
for API requests which is a waste of resources.

Cheers,
Jimmy

On 15 February 2011 12:06, Jimmy [email protected] wrote:

In your API controller, just put “session :disabled => true” on top.

That’s a noop function, it results in a deprecation warning:

“Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don’t access them, consider
them off. You can still modify the session cookie options with
request.session_options.”

What that means, I believe, is that if you do not access the session
then it will not be created. That implies that somewhere in your API
requests you are accessing the session. Find that/them and remove the
access to the session and no session will be created for those
requests.

Colin

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs