Prevent Sending Ruby on Rails Session Header

Question

Prevent Sending Ruby on Rails Session Header

How to prevent Rails from always sending a session header (Set-Cookie). This is a security issue if the application also sends the Cache-Control: public header.

My application affects (but does not modify) the session hash in some / most actions. Closed content is not displayed on these pages, so I want them to be cachable, but Rails always sends the cookie header, regardless of whether the previous hash is different from the previous one or not.

I want to achieve only sending a hash if it is different from the one received from the client. How can you do this? And probably this fix should also be part of the official Rails release? What do you think?

+3

caching ruby-on-rails session

hurikhan77 24 sept '09 at 19:51

source share

3 answers

casey · Answer 1 · 2010-03-15T20:59:51+0000

Rails only adds session cookie data to the Set-Cookie header if it has been affected. Perhaps you are setting things to the values that they already contain - they are not intelligent enough to check if the data is really different.

to change . My answer is a bit misleading. When you use the cookie session store, a new cookie is set if the cookie value (after Marshaling) changes.

Cm. actionpack/lib/action_controller/session/cookie_store.rb

Darwin · Answer 2 · 2012-08-30T20:44:32+0000

For Rails 3 use this.

env['rack.session.options'][:skip] = true

or equivalent

request.session_options[:skip] = true

Here you can find the documentation http://doc.rubyists.com/rack/Rack/Session/Abstract/ID.html

allesklar · Answer 3 · 2009-09-25T06:46:03+0000

:

config.action_controller.session_store = :nil_session_store

. .

Prevent Sending Ruby on Rails Session Header

More articles: