Prevent Ruby on Rails from sending the session header

Question

How do I prevent Rails from always sending the session header (Set-Cookie). This is a security problem if the application also sends the Cache-Control: public header.

My application touches (but does not modify) the session hash in some/most actions. These pages display no private content so I want them to be cacheable - but Rails always sends the cookie header, no matter if the sent session hash is different from the previous or not.

What I want to achieve is to only send the hash if it is different from the one received from the client. How can you do that? And probably that fix should also go into official Rails release? What do you think?

Answer 1

For Rails 3 then use this.

env['rack.session.options'][:skip] = true

or the equivalent

request.session_options[:skip] = true

You can find the documentation for it here http://doc.rubyists.com/rack/Rack/Session/Abstract/ID.html

Answer 2

Rails only adds the session cookie data to the Set-Cookie header if it has been touched. You might be setting things to the values that they already contain - it's not smart enough to check to see if the data is actually different.

edit My response is a little misleading. When you are using the cookie session store, a new cookie is set if the cookie value (after Marshaling) changes.

See actionpack/lib/action_controller/session/cookie_store.rb

Answer 3

Here is the crucial line:

config.action_controller.session_store = :nil_session_store

See the whole post.