tags:

views:

212

answers:

2
+1  Q: 

Prevent Ruby on Rails from sending the session header

How do I prevent Rails from always sending the session header (Set-Cookie). This is a security problem if the application also sends the Cache-Control: public header.

My application touches (but does not modify) the session hash in some/most actions. These pages display no private content so I want them to be cacheable - but Rails always sends the cookie header, no matter if the sent session hash is different from the previous or not.

What I want to achieve is to only send the hash if it is different from the one received from the client. How can you do that? And probably that fix should also go into official Rails release? What do you think?

A: 

Here is the crucial line:

config.action_controller.session_store = :nil_session_store

See the whole post.

allesklar  2009-09-25 06:46:03
Hmm well, but I actually need a session store. I just don't want Rails to send the Set-Cookie response header if it does not differ from the hash that the client sent with the corresponding request header.
hurikhan77  2009-09-25 07:55:38
-1 The question was not to have no session store at all
hurikhan77  2010-03-16 15:20:38
+1  A: 

Rails only adds the session cookie data to the Set-Cookie header if it has been touched. You might be setting things to the values that they already contain - it's not smart enough to check to see if the data is actually different.

edit My response is a little misleading. When you are using the cookie session store, a new cookie is set if the cookie value (after Marshaling) changes.

See actionpack/lib/action_controller/session/cookie_store.rb

casey  2010-03-15 20:59:51
Yeah I already suspected that... Does "touching" in this sense also mean reading from the session hash? +1 for supporting my suspicion
hurikhan77  2010-03-16 15:18:48
Reading is okay. Check out CGI::Session::CookieStore#close in actionpack/lib/action_controller/session/cookie_store.rb
casey  2010-03-17 02:15:17

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.