I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.
I understand that the “session :off” option was removed, but not why
or how I am now supposed to prevent this cookie from being set.
Is there a request.session_options value I can set? I didn’t see
anything in the ActionController::Session::CookieStore source.
I need to disable the Set-Cookie: header that Rails 2.3 issues for
certain requests, when the request is made to my API action from a non-
browser client.
I understand that the “session :off” option was removed, but not why
or how I am now supposed to prevent this cookie from being set.
Are you sure it’s actually being set? rails 2.3 is only supposed to
set the session cookie if you’ve actually put something in the
session.
Are you sure it’s actually being set? rails 2.3 is only supposed to
set the session cookie if you’ve actually put something in the
session.
Yeah, it’s definitely being set, and I’ve put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.
I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.
I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.
Seem like bug to you?
If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)
Yeah, it’s definitely being set, and I’ve put nothing in the session.
As it turns out, just accessing a session value (@user_id = session
[:user_id]) is enough to make Rails write the session cookie. This
seems like a bug.
To me, also.
I worked around this by calling session.include? first, but I
shouldn’t have to hit the hash twice just to avoid writing the session
cookie.
Testing for an object’s existence should not cause it to come into
being. Kinda pees on the whole REST parade.
If previously you had session :off, why are you accessing the session
at all ?
I don’t think rails is trying to be too clever - any use of session
makes rails consider the session to be used (and so in need of
updates)
Fred
It used session :off, :if => …
The API is accessed both by the browser (where sessions are used), and
by non-browser clients (where the cookie should not be sent). The
session takes priority; my logic looked like this: (pseudocode)
In Rails 2.3, that first check for a user_id is enough to cause the
session cookie to be written. I believe this is counterintuitive; no
values are stored and the session remains empty, but Rails sets a
session cookie.
It was nice in Rails 2.2 to be able to explicitly disable the session.
In Rails 2.3 if you find a session cookie, you have to track down any
place where you even look at a session value to prevent the cookie
from being set. This is why this still seems like a bug.
Ryan
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.