1

I am using Devise to authenticate users to my Ruby on Rails application. Up to this point, I have been using the standard Cookie-based session to authenticate users, but now I have requirements to allow a token-based authentication, and I implemented this through a custom Warden strategy.

For the sake of this example, my custom strategy code is:

module Devise
  module Strategies
    class CustomAuthenticatable < Base
      def valid?
        params.has_key? :email
      end 

      def authenticate!
        success!(User.find_by(email: params[:email]))
        #fail
      end 
    end 
  end 
end

So this works as expected for the first request: when I GET /api/my_controller/url?email=user@example.com the user is authenticated, and I get the expected response.

But wait: when I then make a second request: GET /api/my_controller/url, the user is still authenticated.

Upon further inspection, I see that a Set-Cookie is being sent, with a Devise session.

So here's my question:

How do I disable the Set-Cookie when using a custom strategy?

Jeremy Blalock
  • 2,538
  • 17
  • 23

1 Answers1

1

You can prevent the creation of a session, like described in here.

Prevent session creation on rails 3.2.2 for RESTful api

resource = warden.authenticate!(:scope => resource_name, :store => !(request.format.xml? || request.format.json?))

For some other options, please consider Rails 3 disabling session cookies.

Community
  • 1
  • 1
adamliesko
  • 1,887
  • 1
  • 14
  • 21