Prevent session creation on rails 3.2.2 for RESTful api

Question

How can i prevent the session store from creating a session on JSON/XML calls ?

My problem is that i save sessions in a database and it gets flooded on multiple api calls.

I'm using Rails 3.2.2 and Devise for authentication.

duplicate of http://stackoverflow.com/questions/1275008/how-to-conditionally-assign-actioncontrollerbase-session-in-rails-2-3-3 — Viktor Trón, May 23 '12 at 13:03
see http://stackoverflow.com/questions/4003667/rails-3-disable-session-cookies — Viktor Trón, May 23 '12 at 13:04
everything is pointing at https://github.com/kares/session_off. it just doesn't work for me. — refaelos, May 23 '12 at 13:09

score 18 · Accepted Answer · answered May 23 '12 at 16:03

18

My problem here was with Warden inside Devise. I had to "tell" Warden not to store the user in the session after the user is authenticated.

resource = warden.authenticate!(:scope => resource_name, :store => !(request.format.xml? || request.format.json?))

Hope that helps whoever sees this thread.

answered May 23 '12 at 16:03

refaelos

7,927
7
36
55

@kain I believe this is overriding a line in the Devise SessionsController create action. – Ben Aug 01 '13 at 14:44
authentication controller – refaelos Sep 19 '14 at 13:18
I don't see an authentication controller: https://github.com/plataformatec/devise/tree/master/app/controllers/devise – BenMorganIO Apr 13 '15 at 06:49
I'm guessing this must be it: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb#L17 – BenMorganIO Apr 13 '15 at 06:49
You forgot to tell that you must set config.skip_session_storage = [:http_auth, :params_auth] in config/initializers/devise.rb for accomplish this override – mld.oscar Feb 19 '19 at 22:55
Would also like to know how disable warden store session for sign up. This override works great for sign in. – Augusto Samamé Barrientos Apr 21 '19 at 22:20

score 4 · Answer 2 · edited Apr 03 '13 at 14:45

4

resource = warden.authenticate!(:scope => resource_name, :store => is_navigational_format?)

edited Apr 03 '13 at 14:45

Ingo Karkat

167,457
16
250
324

answered Apr 03 '13 at 14:29

Altonymous

783
7
25

score 1 · Answer 3 · answered May 23 '12 at 10:36

1

in theory if you don't use it, it is not loaded now. up until rails 2.3.8, you could do:

# application_controller.rb
session :off, :if => :sessionless_request?

protected

def sessionless_request?(request)
  request.format == :xml || request.format == :json
end

now you can do the same with this gem https://github.com/kares/session_off

answered May 23 '12 at 10:36

Viktor Trón

8,774
4
45
48

i tried your solutions and it doesn't work. maybe devise and session_off doesn't work well together ?! – refaelos May 23 '12 at 12:32
note that the plugin only redefines session call from controller, request.session call will still retrieve session. I think devise (actually warden) uses env['rack.session'] :( – Viktor Trón May 23 '12 at 13:24
i'm getting multiple errors when using session_off. i probably have several plugins that use the session. – refaelos May 23 '12 at 13:34
that's too bad b/c session_off seems like a great plugin. (btw, devise also uses "session") – refaelos May 23 '12 at 13:34

score -4 · Answer 4 · answered Sep 13 '12 at 09:48

-4

You should use "devise :timeoutable" in your model and use config.timeout_in = 0 in config/initializers/devise.rb

Restart your server!

answered Sep 13 '12 at 09:48

raphaelluchini

87
1
1
8

Prevent session creation on rails 3.2.2 for RESTful api

4 Answers4

Linked