Disable Cookies in Rails 3.x app

Question

Is there a way to disable all cookies for a Rails app? Or preferably on a controller by controller basis? My problem is regarding access of a Rails JSON api by an Adobe Lightroom plugin. Apparently the presence of any cookie data in the response from the server causes an error in Lightroom.

The cookies are generally used for the CSRF protection, I think disabling them will open security holes, and it may give you problems when hitting your rails stack with a post request. Have you looked into using adobe lightroom with rails, to see if theres specific docs on that? — agmcleod, Aug 30 '11 at 18:05
What is probably going to happen is that we will role our own version of CSRF to verify that communication to the server is coming from our plugin and not from random post requests. It will be stateless and token based however. I agree that disabling cookies outright does not sound good from a security standpoint but we will take precautions on our own to fill these gaps. Any ideas on how to disable them controller to controller? — andy, Aug 30 '11 at 18:29
I ran into the method: reset_session. I suggest trying to put that into a before_filter, and see if it does the trick. Can also try what's recommended here: http://stackoverflow.com/questions/5435494/rails-3-disabling-session-cookies with the session.clear. I have to admit, I'm not sure if this covers tokens or other things that rails generates. If this doesn't work, I would recommend trying to pear through either the rails guides or other documentation aspects, to see if there's some sort of config setting. Sorry that I do not have a direct answer for you. — agmcleod, Aug 30 '11 at 19:20
Hmm, this problem is still occurring. Even when I clear the session, I am still getting a Set-Cookie header. Any other ideas to selectively destroy this header, maybe at the rack level? — andy, Sep 01 '11 at 20:27
No, sorry. I think it's stupid that an API has this kind of requirement. — agmcleod, Sep 01 '11 at 23:10
Really? I think its stupid to be forced into sending cookie headers and setting unnecessary session data for an API that is authenticated with its own signature system and auth tokens — andy, Sep 02 '11 at 05:12
That's a fair point as well. Let me know if you manage to figure it out. I'm curious of the answer. — agmcleod, Sep 02 '11 at 11:16
So I haven an unfortunate half answer to this. It turns out that the cookie problem lightroom was having was due to a function in Devise that was redirecting the signed in user based on the cookie before it was getting to my controller. So instead of being returned a JSON object it was sending back a redirect to my homepage. So I overrode the devise method redirect_to in my application controller to solve this problem. I can't really offer this up as an answer to my question though cause I did not disable cookies to fix it. It appears that Rails cookies are an "all or nothing" setting :( — andy, Sep 02 '11 at 18:02
If you only have very simple token-based auth, do you really need Devise? — gtd, Jan 23 '14 at 16:53

score 4 · Answer 1 · answered Dec 06 '12 at 20:43

In the controller you want to avoid cookies, add this:

after_filter :skip_set_cookies_header

def skip_set_cookies_header
  request.session_options = {}
end

If you have a set of api controllers, set this in a api_controller class and let your other controllers inherit the api_controller.

This skips setting Set-Cookie header since the session opts is empty.

score 1 · Answer 2 · answered Dec 07 '12 at 04:27

You might want to use ActionController::Metal and add any additional modules that you might need.

ActionController::Metal is pretty barebone and skips most of the functionality of a typical ApplicationController including cookies.

You can call ApplicationController.ancestors to get an idea of what is typically included in contrast with ActionController::Metal.ancestors

Here's how I would most likely set it up.

class SimpleController < ActionController::Metal
 #include ...
 #include ...
end

class FirstApiController < SimpleController
 def index
  #Code 
 end
end 

class SecondApiController < SimpleController
 def index
  #Code 
 end
end

score 1 · Answer 3 · answered Sep 18 '11 at 08:15

1

If you're using Apache, you can turn probably turn off cookies in the response by using mod_headers, which is a standard apache mod.

Header always unset "Set-Cookie"

answered Sep 18 '11 at 08:15

John Douthat

40,711
10
69
66

Disable Cookies in Rails 3.x app

3 Answers3

Linked