Rails 3 Disabling Session Cookies

Rails 3 disabling session cookies

As is mentioned in a comment on John's answer, clearing the session will not prevent the session cookie from being sent. If you wish to totally remove the cookie from being sent, you have to use Rack middleware.

class CookieFilter
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)

    # use only one of the next two lines

    # this will remove ALL cookies from the response
    headers.delete 'Set-Cookie'
    # this will remove just your session cookie
    Rack::Utils.delete_cookie_header!(headers, '_app-name_session')

    [status, headers, body]
  end
end

Use it by creating an initializer with the following body:

Rails.application.config.middleware.insert_before ::ActionDispatch::Cookies, ::CookieFilter

To prevent the cookie filter to end up in application stack traces, which can be utterly confusing at times, you may want to silence it in the backtrace (Assuming you put it in lib/cookie_filter.rb):

Rails.backtrace_cleaner.add_silencer { |line| line.start_with? "lib/cookie_filter.rb" }

How to prevent Rails from sending cookie _appname_session to mobile clients (disable cookies)?

This solution: Rails 3 disabling session cookies worked for me.

I ended up setting a middleware:

module MyApp
  class MobileClientsCookieFilter
    def initialize(app)
      @app = app
    end

    def call(env)
      status, headers, body = @app.call(env)

      request = Rack::Request.new env

      if request.params['device'].present? or any other mobile clients checks ok?
        headers.delete 'Set-Cookie'
      end

      [status, headers, body]
    end
  end
end

and within application.rb

config.middleware.insert_before ::ActionDispatch::Cookies, MyApp::MobileClientsCookieFilter

Looks like similar solution is also possible: to subclass ActionDispatch::Cookies, in case of web clients do super call and do nothing there in case of mobile clients. Then to swap this custom middleware with original ActionDispatch::Cookies. Having it implemented this way no cookies would be created/generated at all for mobile clients.

Disabling :cookie_only in the session store in Rails 3?

If anyone else is is the same boat I was, it looks like it is impossible to use the :cookie_only option in Rails 3 without serious modification to the Rails code itself. And with good reason, because using it really is a bad idea from a security standpoint.

If you are also having problems with using cookies in PhoneGap on the iPhone, take a look at this question, it solved our problem and obviated the need for the :cookie_only options: phonegap: cookie based authentication (PHP) not working [webview]

Disable Cookies on initial page load until user agrees to use them

The cookie law has since been modified, so this is not quite necessary any more, you only need to let the user know that they you will be using cookies.

The organisation that enforces this is the ico, which doesn't ask for permission for cookies on their site:

http://www.ico.org.uk/

Suggest you follow this pragmatic approach.

If you are wanting to comply as per your question I did some work on this a while back for rails projects which should be a decent starting point:
https://github.com/yule/threepwood

Devise Custom Strategies: Still Setting Session Cookies

You can prevent the creation of a session, like described in here.

Prevent session creation on rails 3.2.2 for RESTful api

resource = warden.authenticate!(:scope => resource_name, :store => !(request.format.xml? || request.format.json?))

For some other options, please consider Rails 3 disabling session cookies.

Force-disabling cookies in Ruby on Rails 4 (European Union Legislation) until user (re-)accepts ToS

You can do this by creating a before_filter in your ApplicationController:

class ApplicationController < ActionController::Base
  before_filter :validate_toc!

  private

  def validate_toc!
    # check if guest user has not already accepted the toc from session
    redirect_to toc_path, alert: 'Please accept ToC to continue.' if sesion[:tos].nil? || !user_logged_in?
  end
end

Note: sesion[:tos] is where you set value when user accepts ToS. toc_path should be set in routes.rb, for example like this: 

get '/path/to/toc' => 'pages#toc', :as => :toc

Related Topics

How to Use Activerecord in a Ruby Script Outside Rails

Ruby - Difference Between Array#≪≪ and Array#Push

How to Use Gems With Ubuntu

Execute Bash Commands from a Rakefile

How to Assign Hash['A']['B']= 'C' If Hash['A'] Doesn't Exist

How to Run Untrusted Ruby Code Inside a Safe Sandbox

Fork Child Process with Timeout and Capture Output

A Method with an Optional Parameter

Rails Attachments Inline Are Not Shown Correctly in Gmail

What Is Java Interface Equivalent in Ruby

Using Rails Migration on Different Database Than Standard "Production" or "Development"

Ruby Regular Expression to Match a Url

How to Read Lines of a File in Ruby

How to Run Rake Tasks Within a Ruby Script

Rails Engines Extending Functionality

Shortcut to Make Case/Switch Return a Value

Can't Install Ruby on Rails with Rvm on Ubuntu 13.04

Rails Catch-All/Globbing Routes


Leave a reply



Submit