I need to disable the Set-Cookie: header that Rails 2.3 issues for certain requests, when the request is made to my API action from a non- browser client. I understand that the "session :off" option was removed, but not why or how I am now supposed to prevent this cookie from being set. Is there a request.session_options value I can set? I didn''t see anything in the ActionController::Session::CookieStore source. Thanks! Ryan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 11, 1:17 am, Ryan <r...-cLlpHuSv+x3NJ03IaDAcPg@public.gmane.org> wrote:> I need to disable the Set-Cookie: header that Rails 2.3 issues for > certain requests, when the request is made to my API action from a non- > browser client. > > I understand that the "session :off" option was removed, but not why > or how I am now supposed to prevent this cookie from being set. >Are you sure it''s actually being set? rails 2.3 is only supposed to set the session cookie if you''ve actually put something in the session. Fred> Is there a request.session_options value I can set? I didn''t see > anything in the ActionController::Session::CookieStore source. > > Thanks! > > Ryan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 10, 6:25 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Are you sure it''s actually being set? rails 2.3 is only supposed to > set the session cookie if you''ve actually put something in the > session.Yeah, it''s definitely being set, and I''ve put nothing in the session. As it turns out, just accessing a session value (@user_id = session [:user_id]) is enough to make Rails write the session cookie. This seems like a bug. I worked around this by calling session.include? first, but I shouldn''t have to hit the hash twice just to avoid writing the session cookie. Seem like bug to you? Ryan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Tue, 2009-03-10 at 18:52 -0700, Ryan wrote:> Yeah, it''s definitely being set, and I''ve put nothing in the session. > As it turns out, just accessing a session value (@user_id = session > [:user_id]) is enough to make Rails write the session cookie. This > seems like a bug.To me, also.> I worked around this by calling session.include? first, but I > shouldn''t have to hit the hash twice just to avoid writing the session > cookie.Testing for an object''s existence should not cause it to come into being. Kinda pees on the whole REST parade. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 11, 1:52 am, Ryan <r...-cLlpHuSv+x3NJ03IaDAcPg@public.gmane.org> wrote:> On Mar 10, 6:25 pm, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: > > > Are you sure it''s actually being set? rails 2.3 is only supposed to > > set the session cookie if you''ve actually put something in the > > session. > > Yeah, it''s definitely being set, and I''ve put nothing in the session. > As it turns out, just accessing a session value (@user_id = session > [:user_id]) is enough to make Rails write the session cookie. This > seems like a bug. > > I worked around this by calling session.include? first, but I > shouldn''t have to hit the hash twice just to avoid writing the session > cookie. > > Seem like bug to you? >If previously you had session :off, why are you accessing the session at all ? I don''t think rails is trying to be too clever - any use of session makes rails consider the session to be used (and so in need of updates) Fred> Ryan--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 11, 3:00 am, Frederick Cheung <frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> If previously you had session :off, why are you accessing the session > at all ? > I don''t think rails is trying to be too clever - any use of session > makes rails consider the session to be used (and so in need of > updates) > > FredIt used session :off, :if => ... The API is accessed both by the browser (where sessions are used), and by non-browser clients (where the cookie should not be sent). The session takes priority; my logic looked like this: (pseudocode) if user_id = session[:user_id] # authorized by session elsif api_key = params[:api_key] && api_signature = params [:api_signature] # authorized by api_key/signature else # not authorized end In Rails 2.3, that first check for a user_id is enough to cause the session cookie to be written. I believe this is counterintuitive; no values are stored and the session remains empty, but Rails sets a session cookie. It was nice in Rails 2.2 to be able to explicitly disable the session. In Rails 2.3 if you find a session cookie, you have to track down any place where you even look at a session value to prevent the cookie from being set. This is why this still seems like a bug. Ryan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---