Forum: Ruby on Rails Disabling session cookie per-request in 2.3

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
D28573c3883442402112167d06bde70b?d=identicon&s=25 Ryan (Guest)
on 2009-03-11 02:24
(Received via mailing list)
I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.

I understand that the "session :off" option was removed, but not why
or how I am now supposed to prevent this cookie from being set.

Is there a request.session_options value I can set? I didn't see
anything in the ActionController::Session::CookieStore source.

Thanks!

Ryan
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-03-11 02:25
(Received via mailing list)
On Mar 11, 1:17 am, Ryan <r...@ryanberdeen.com> wrote:
> I need to disable the Set-Cookie: header that Rails 2.3 issues for
> certain requests, when the request is made to my API action from a non-
> browser client.
>
> I understand that the "session :off" option was removed, but not why
> or how I am now supposed to prevent this cookie from being set.
>
Are you sure it's actually being set? rails 2.3 is only supposed to
set the session cookie if you've actually put something in the
session.

Fred
D28573c3883442402112167d06bde70b?d=identicon&s=25 Ryan (Guest)
on 2009-03-11 02:53
(Received via mailing list)
On Mar 10, 6:25 pm, Frederick Cheung <frederick.che...@gmail.com>
wrote:

> Are you sure it's actually being set? rails 2.3 is only supposed to
> set the session cookie if you've actually put something in the
> session.

Yeah, it's definitely being set, and I've put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.

I worked around this by calling session.include? first, but I
shouldn't have to hit the hash twice just to avoid writing the session
cookie.

Seem like bug to you?

Ryan
91a72b0ad3e43e3ef3a31816667ec694?d=identicon&s=25 bill walton (Guest)
on 2009-03-11 03:48
(Received via mailing list)
On Tue, 2009-03-10 at 18:52 -0700, Ryan wrote:

> Yeah, it's definitely being set, and I've put nothing in the session.
> As it turns out, just accessing a session value (@user_id = session
> [:user_id]) is enough to make Rails write the session cookie. This
> seems like a bug.

To me, also.

> I worked around this by calling session.include? first, but I
> shouldn't have to hit the hash twice just to avoid writing the session
> cookie.

Testing for an object's existence should not cause it to come into
being.  Kinda pees on the whole REST parade.
81b61875e41eaa58887543635d556fca?d=identicon&s=25 Frederick Cheung (Guest)
on 2009-03-11 11:01
(Received via mailing list)
On Mar 11, 1:52 am, Ryan <r...@ryanberdeen.com> wrote:
> seems like a bug.
>
> I worked around this by calling session.include? first, but I
> shouldn't have to hit the hash twice just to avoid writing the session
> cookie.
>
> Seem like bug to you?
>
If previously you had session :off, why are you accessing the session
at all ?
I don't think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)

Fred
D28573c3883442402112167d06bde70b?d=identicon&s=25 Ryan (Guest)
on 2009-03-11 23:04
(Received via mailing list)
On Mar 11, 3:00 am, Frederick Cheung <frederick.che...@gmail.com>
wrote:

> If previously you had session :off, why are you accessing the session
> at all ?
> I don't think rails is trying to be too clever - any use of session
> makes rails consider the session to be used (and so in need of
> updates)
>
> Fred

It used session :off, :if => ...

The API is accessed both by the browser (where sessions are used), and
by non-browser clients (where the cookie should not be sent). The
session takes priority; my logic looked like this: (pseudocode)

if user_id = session[:user_id]
  # authorized by session
elsif api_key = params[:api_key] && api_signature = params
[:api_signature]
  # authorized by api_key/signature
else
  # not authorized
end

In Rails 2.3, that first check for a user_id is enough to cause the
session cookie to be written. I believe this is counterintuitive; no
values are stored and the session remains empty, but Rails sets a
session cookie.

It was nice in Rails 2.2 to be able to explicitly disable the session.
In Rails 2.3 if you find a session cookie, you have to track down any
place where you even look at a session value to prevent the cookie
from being set. This is why this still seems like a bug.

Ryan
This topic is locked and can not be replied to.