Rails 3禁用会话Cookie [英] Rails 3 disabling session cookies

问题描述

我有在RoR 3上写的RESTful API。
我必须让我的应用程序不发送Set-Cookie头（客户端正在使用auth_token参数授权）。

我试图使用 session：off 和 reset_session 但没有任何意义。
我使用 devise 作为验证框架。

这是我的ApplicationController

  class ApplicationController< ActionController :: Base 
 before_filter：reset_session＃，：unless => ：session_required？ 
 session：off＃，：unless => ：session_required？ 
 
 skip_before_filter：verify_authenticity_token 
 before_filter：access_control_headers！ 
 
 def options 
 render：text => 
 end 
 
 private 
 def access_control_headers！ 
 response.headers [Access-Control-Allow-Methods] =GET，POST，PUT，DELETE， OPTIONS
 response.headers [Access-Control-Allow-Credentials] =true
 response.headers [Access-Control-Allow-Headers] =Content-type
 end 
 
 def session_required？ 
！（params [：format] =='xml'or params [：format] =='json'）
 end 
 end 
  / pre> 
 
解决方案
正如在对John的回答的评论中提到的，清除会话不会阻止会话cookie被发送。如果您希望完全删除Cookie，则必须使用Rack中间件。
  class CookieFilter 
 def initialize（app）
 @app = app 
 end 
 
 def call（env）
 status，headers，body = @ app.call（env）
 
＃只使用下面两行之一
 
＃这将从响应中删除所有cookie 
 headers.delete'Set-Cookie'
＃这将删除只是你的会话cookie 
 Rack :: Utils.delete_cookie_header！（headers，'_app-name_session'）
 
 [status，headers，body] 
 end 
 end 
  
通过使用以下正文创建初始设置来使用它：
  Rails.application.config.middleware.insert_before :: ActionDispatch :: Cookies，:: CookieFilter 
  
为了防止cookie过滤器在应用程序堆栈跟踪中结束，这可能是有时令人困惑，你可能想在backtrace中使它静默（假设你把它放在 lib / cookie_filter.rb ）：
  Rails.backtrace_cleaner.add_silencer {| line | line.start_with？ lib / cookie_filter.rb} 
  
 
I have RESTful API written on RoR 3.
I have to make my application not to send "Set-Cookie header" (clients are authorizing using auth_token parameter).

I have tried to use session :off and reset_session but it does not make any sense.
I am using devise as authentication framework.

Here is my ApplicationController
class ApplicationController < ActionController::Base
  before_filter :reset_session #, :unless => :session_required?
  session :off #, :unless => :session_required?

  skip_before_filter :verify_authenticity_token
  before_filter :access_control_headers!

  def options
    render :text => ""
  end

  private
  def access_control_headers!
    response.headers["Access-Control-Allow-Origin"] = "*"
    response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
    response.headers["Access-Control-Allow-Credentials"] = "true"
    response.headers["Access-Control-Allow-Headers"] = "Content-type"
  end

  def session_required?
    !(params[:format] == 'xml' or params[:format] == 'json')
  end
end

解决方案
As is mentioned in a comment on John's answer, clearing the session will not prevent the session cookie from being sent. If you wish to totally remove the cookie from being sent, you have to use Rack middleware.
class CookieFilter
  def initialize(app)
    @app = app
  end

  def call(env)
    status, headers, body = @app.call(env)

    # use only one of the next two lines

    # this will remove ALL cookies from the response
    headers.delete 'Set-Cookie'
    # this will remove just your session cookie
    Rack::Utils.delete_cookie_header!(headers, '_app-name_session')

    [status, headers, body]
  end
end
Use it by creating an initializer with the following body:
Rails.application.config.middleware.insert_before ::ActionDispatch::Cookies, ::CookieFilter
To prevent the cookie filter to end up in application stack traces, which can be utterly confusing at times, you may want to silence it in the backtrace (Assuming you put it in lib/cookie_filter.rb):
Rails.backtrace_cleaner.add_silencer { |line| line.start_with? "lib/cookie_filter.rb" }


                        
这篇关于Rails 3禁用会话Cookie的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！