How do I prevent Rails from always sending the session header (Set-Cookie). This is a security problem if the application also sends the Cache-Control: public header.
如何防止Rails始终发送会话标头(Set-Cookie)。如果应用程序还发送Cache-Control:public标头,则这是一个安全问题。
My application touches (but does not modify) the session hash in some/most actions. These pages display no private content so I want them to be cacheable - but Rails always sends the cookie header, no matter if the sent session hash is different from the previous or not.
我的应用程序在某些/大多数操作中触及(但不修改)会话哈希。这些页面不显示私有内容,因此我希望它们可以缓存 - 但无论发送的会话哈希是否与之前的哈希不同,Rails总是发送cookie头。
What I want to achieve is to only send the hash if it is different from the one received from the client. How can you do that? And probably that fix should also go into official Rails release? What do you think?
我想要实现的是只发送哈希值,如果它与从客户端收到的哈希值不同。你怎么能这样做?也许这个修复也应该进入正式的Rails版本?你怎么看?
3 个解决方案
#1
2
Rails only adds the session cookie data to the Set-Cookie header if it has been touched. You might be setting things to the values that they already contain - it's not smart enough to check to see if the data is actually different.
如果已触摸,Rails仅将会话cookie数据添加到Set-Cookie标头。您可能正在设置它们已包含的值 - 它不够智能,无法检查数据是否实际上不同。
edit My response is a little misleading. When you are using the cookie session store, a new cookie is set if the cookie value (after Marshaling) changes.
编辑我的回答有点误导。当您使用cookie会话存储时,如果cookie值(在Marshaling之后)发生更改,则会设置新cookie。
See actionpack/lib/action_controller/session/cookie_store.rb
请参阅actionpack / lib / action_controller / session / cookie_store.rb
#2
1
For Rails 3 then use this.
对于Rails 3然后使用它。
env['rack.session.options'][:skip] = true
env ['rack.session.options'] [:skip] = true
or the equivalent
或等同物
request.session_options[:skip] = true
request.session_options [:skip] = true
You can find the documentation for it here http://doc.rubyists.com/rack/Rack/Session/Abstract/ID.html
你可以在这里找到它的文档http://doc.rubyists.com/rack/Rack/Session/Abstract/ID.html
#3
-1
Here is the crucial line:
这是关键线:
config.action_controller.session_store = :nil_session_store
See the whole post.
查看整篇文章。
#1
2
Rails only adds the session cookie data to the Set-Cookie header if it has been touched. You might be setting things to the values that they already contain - it's not smart enough to check to see if the data is actually different.
如果已触摸,Rails仅将会话cookie数据添加到Set-Cookie标头。您可能正在设置它们已包含的值 - 它不够智能,无法检查数据是否实际上不同。
edit My response is a little misleading. When you are using the cookie session store, a new cookie is set if the cookie value (after Marshaling) changes.
编辑我的回答有点误导。当您使用cookie会话存储时,如果cookie值(在Marshaling之后)发生更改,则会设置新cookie。
See actionpack/lib/action_controller/session/cookie_store.rb
请参阅actionpack / lib / action_controller / session / cookie_store.rb
#2
1
For Rails 3 then use this.
对于Rails 3然后使用它。
env['rack.session.options'][:skip] = true
env ['rack.session.options'] [:skip] = true
or the equivalent
或等同物
request.session_options[:skip] = true
request.session_options [:skip] = true
You can find the documentation for it here http://doc.rubyists.com/rack/Rack/Session/Abstract/ID.html
你可以在这里找到它的文档http://doc.rubyists.com/rack/Rack/Session/Abstract/ID.html
#3
-1
Here is the crucial line:
这是关键线:
config.action_controller.session_store = :nil_session_store
See the whole post.
查看整篇文章。