2

I use Rails 4.0.2 and Devise 3.3.0. This application works with both Web clients and mobile clients. Web applications use sessions and mobile applications are authenticated using auth_token that is sent in params with every request.

Right now I can't find a way to prevent Rails from setting and sending cookies to mobile clients - responses always contain 

Set-Cookie = request_method=GET; path=/, _myapp_session=<token...>; path=/; HttpOnly

I would highly appreciate any hints on what should I do inside my Rails Controllers by using filters or any custom rack middlewares. Also I guess that this can be solved using some custom Device strategy or something like that.

Let me know if I should provide any additional information.

Thanks.

Stanislav Pankevich
  • 11,044
  • 8
  • 69
  • 129
  • Is it secure to pass an auth_token in all requests for mobile? For GET requests isn't it put into your url? – TheJKFever May 14 '15 at 01:47

1 Answers1

0

This solution: Rails 3 disabling session cookies worked for me.

I ended up setting a middleware:

module MyApp
  class MobileClientsCookieFilter
    def initialize(app)
      @app = app
    end

    def call(env)
      status, headers, body = @app.call(env)

      request = Rack::Request.new env

      if request.params['device'].present? or any other mobile clients checks ok?
        headers.delete 'Set-Cookie'
      end

      [status, headers, body]
    end
  end
end

and within application.rb

config.middleware.insert_before ::ActionDispatch::Cookies, MyApp::MobileClientsCookieFilter

Looks like similar solution is also possible: to subclass ActionDispatch::Cookies, in case of web clients do super call and do nothing there in case of mobile clients. Then to swap this custom middleware with original ActionDispatch::Cookies. Having it implemented this way no cookies would be created/generated at all for mobile clients.

Community
  • 1
  • 1
Stanislav Pankevich
  • 11,044
  • 8
  • 69
  • 129