Rails 3 disabling session cookies
As is mentioned in a comment on John's answer, clearing the session will not prevent the session cookie from being sent. If you wish to totally remove the cookie from being sent, you have to use Rack middleware.
class CookieFilter
def initialize(app)
@app = app
end
def call(env)
status, headers, body = @app.call(env)
# use only one of the next two lines
# this will remove ALL cookies from the response
headers.delete 'Set-Cookie'
# this will remove just your session cookie
Rack::Utils.delete_cookie_header!(headers, '_app-name_session')
[status, headers, body]
end
end
Use it by creating an initializer with the following body:
Rails.application.config.middleware.insert_before ::ActionDispatch::Cookies, ::CookieFilter
To prevent the cookie filter to end up in application stack traces, which can be utterly confusing at times, you may want to silence it in the backtrace (Assuming you put it in lib/cookie_filter.rb
):
Rails.backtrace_cleaner.add_silencer { |line| line.start_with? "lib/cookie_filter.rb" }
How to prevent Rails from sending cookie _appname_session to mobile clients (disable cookies)?
This solution: Rails 3 disabling session cookies worked for me.
I ended up setting a middleware:
module MyApp
class MobileClientsCookieFilter
def initialize(app)
@app = app
end
def call(env)
status, headers, body = @app.call(env)
request = Rack::Request.new env
if request.params['device'].present? or any other mobile clients checks ok?
headers.delete 'Set-Cookie'
end
[status, headers, body]
end
end
end
and within application.rb
config.middleware.insert_before ::ActionDispatch::Cookies, MyApp::MobileClientsCookieFilter
Looks like similar solution is also possible: to subclass ActionDispatch::Cookies, in case of web clients do super call and do nothing there in case of mobile clients. Then to swap this custom middleware with original ActionDispatch::Cookies. Having it implemented this way no cookies would be created/generated at all for mobile clients.
Disabling :cookie_only in the session store in Rails 3?
If anyone else is is the same boat I was, it looks like it is impossible to use the :cookie_only
option in Rails 3 without serious modification to the Rails code itself. And with good reason, because using it really is a bad idea from a security standpoint.
If you are also having problems with using cookies in PhoneGap on the iPhone, take a look at this question, it solved our problem and obviated the need for the :cookie_only
options: phonegap: cookie based authentication (PHP) not working [webview]
Disable Cookies on initial page load until user agrees to use them
The cookie law has since been modified, so this is not quite necessary any more, you only need to let the user know that they you will be using cookies.
The organisation that enforces this is the ico, which doesn't ask for permission for cookies on their site:
http://www.ico.org.uk/
Suggest you follow this pragmatic approach.
If you are wanting to comply as per your question I did some work on this a while back for rails projects which should be a decent starting point:
https://github.com/yule/threepwood
Devise Custom Strategies: Still Setting Session Cookies
You can prevent the creation of a session, like described in here.
Prevent session creation on rails 3.2.2 for RESTful api
resource = warden.authenticate!(:scope => resource_name, :store => !(request.format.xml? || request.format.json?))
For some other options, please consider Rails 3 disabling session cookies.
Force-disabling cookies in Ruby on Rails 4 (European Union Legislation) until user (re-)accepts ToS
You can do this by creating a before_filter
in your ApplicationController
:
class ApplicationController < ActionController::Base
before_filter :validate_toc!
private
def validate_toc!
# check if guest user has not already accepted the toc from session
redirect_to toc_path, alert: 'Please accept ToC to continue.' if sesion[:tos].nil? || !user_logged_in?
end
end
Note: sesion[:tos]
is where you set value when user accepts ToS. toc_path
should be set in routes.rb, for example like this:
get '/path/to/toc' => 'pages#toc', :as => :toc
Related Topics
How to Use Activerecord in a Ruby Script Outside Rails
Ruby - Difference Between Array#≪≪ and Array#Push
Execute Bash Commands from a Rakefile
How to Assign Hash['A']['B']= 'C' If Hash['A'] Doesn't Exist
How to Run Untrusted Ruby Code Inside a Safe Sandbox
Fork Child Process with Timeout and Capture Output
A Method with an Optional Parameter
Rails Attachments Inline Are Not Shown Correctly in Gmail
What Is Java Interface Equivalent in Ruby
Using Rails Migration on Different Database Than Standard "Production" or "Development"
Ruby Regular Expression to Match a Url
How to Read Lines of a File in Ruby
How to Run Rake Tasks Within a Ruby Script
Rails Engines Extending Functionality
Shortcut to Make Case/Switch Return a Value