However, when hitting our system with say 10,000 API requests, we get
10,000 session objects in the database. Which seems like a big waste
of resources.
Is there a way to prevent this?
Basically we want API requests to start with an empty in-memory-only
session hash which is dropped after the request finishes. Somewhat
related, we also don’t want to return an HTTP Header Set-Cookie:
_session_id=…etc.
related, we also don’t want to return an HTTP Header Set-Cookie:
_session_id=…etc.
Seems to me like you have no need for sessions at all, since you don’t
want the session cookie set.
In your API controller, just put “session :disabled => true” on top.
If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).
In your API controller, just put “session :disabled => true” on top.
That’s a noop function, it results in a deprecation warning:
“Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don’t access them, consider
them off. You can still modify the session cookie options with
request.session_options.”
If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).
We do need sessions for browser requests.
We specifically don’t want a cookie based store due to security issues
with that.
Memcache store might be an option, but then it’s still making
unnecessary tcp/ip calls to find, create and update session objects
for API requests which is a waste of resources.
In your API controller, just put “session :disabled => true” on top.
That’s a noop function, it results in a deprecation warning:
“Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don’t access them, consider
them off. You can still modify the session cookie options with
request.session_options.”
What that means, I believe, is that if you do not access the session
then it will not be created. That implies that somewhere in your API
requests you are accessing the session. Find that/them and remove the
access to the session and no session will be created for those
requests.
Colin
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.