I have a rails controller I dont ever want to set a cookie. I production, all it's actions are basically page cached and served as static files. But in development it's responses are generated on each request so that we can change things on the fly and test it out.
The problem is that when we have parallel requests that change cookie data this falls apart. In the client coe that uses this API we are having a problem with session cookies if the requests are made in parallel. It's a race condition where the request that completes last sets it's cookie, overwriting whatever was there before.
- req A starts for session creation
- req B starts for static file
- req A completes for session creates sets updated and authenticated session cookie
- req B completes for static file, and in dev mode sets the cookie it started with overwriting the new session state from req A.
So I need to turn off sessions completely from the controller that serves req B.
I've tried session :off
in the controller, but that seems to have been deprecated in rails 2.3 (what we are currently using). When I do a curl -I http://localhost:3000/my/path
it still shows the Set-Cookie
header in the response. The docs simply say that if you dont use the session, it wont load it. But it's still setting that cookie.
Long story short: I need a way to force my controller to NOT send a Set-Cookie
header in it's response, ever, so that the controller's response in development mode better matches production behavior.