Rails 3 disabling session cookies

Question

I have RESTful API written on RoR 3. I have to make my application not to send \"Set-Cookie header\" (clients are authorizing using auth_token parameter).

I have tri

Answer 1

Use the built in option.

env['rack.session.options'][:skip] = true

or the equivalent

request.session_options[:skip] = true

You can find the documentation for it here https://github.com/rack/rack/blob/master/lib/rack/session/abstract/id.rb#L213

Answer 2

Further to John's answer, if you are using CSRF protection you would need to turn that off for web service requests. You can add the following as a protected method in your application controller:

  def protect_against_forgery?
    unless request.format.xml? or request.format.json?
      super
    end
  end

This way HTML requests still use CSRF (or not - depends on config.action_controller.allow_forgery_protection = true/false in the environment).

Answer 3

I myself truly missed being able to declaratively turn off sessions (using session :off)

... thus I brought it "back" - use it just like in plain-old-rails (<= 2.2) :

than of course this might require some additional Devise specific hacking of your own, since session_off might cause session == nil in a controller, and most rails extensions since 2.3 simply assume a lazy session that shall not be nil ever.

https://github.com/kares/session_off

Answer 4

# frozen_string_literal: true

module Api
  module Web
    module Base
      class WebApiApplicationController < ApplicationController

        include DeviseTokenAuth::Concerns::SetUserByToken
        include Api::Concerns::ErrorsConcern

        devise_token_auth_group :user, contains: %i[api_web_v1_user]
        respond_to :json
        serialization_scope :current_user

        before_action :METHOD_NAME

        private

        def METHOD_NAME
          request.session_options[:skip] = true
        end

      end
    end
  end
end

It's working for me.

Answer 5

Try this instead

after_filter :skip_set_cookies_header

def skip_set_cookies_header
  session.instance_variable_set('@loaded', false)
end

Or even better, always remove Set-Cookie header when session data did not change

before_filter :session_as_comparable_array # first before_filter
after_filter :skip_set_cookies_header      # last  after_filter

def session_as_comparable_array(obj = session)
  @session_as_comparable_array = case obj
  when Hash
    obj.keys.sort_by(&:to_s).collect{ |k| [k, session_as_comparable_array(obj[k])] }
  when Array
    obj.sort_by(&:to_s).collect{ |k| session_as_comparable_array(k) }
  else
    obj
  end
end

def skip_set_cookies_header
  session.instance_variable_set('@loaded', false) if (@session_as_comparable_array == session_as_comparable_array)
end

Answer 6

Imo the best approach is to simply remove the cookie session store middleware.

To do so, add this to your application.rb (or to a specific environment if needed):

# No session store
config.middleware.delete ActionDispatch::Session::CookieStore