On Mar 11, 3:00 am, Frederick Cheung <[email protected]> wrote:
> If previously you had session :off, why are you accessing the session > at all ? > I don't think rails is trying to be too clever - any use of session > makes rails consider the session to be used (and so in need of > updates) > > Fred It used session :off, :if => ... The API is accessed both by the browser (where sessions are used), and by non-browser clients (where the cookie should not be sent). The session takes priority; my logic looked like this: (pseudocode) if user_id = session[:user_id] # authorized by session elsif api_key = params[:api_key] && api_signature = params [:api_signature] # authorized by api_key/signature else # not authorized end In Rails 2.3, that first check for a user_id is enough to cause the session cookie to be written. I believe this is counterintuitive; no values are stored and the session remains empty, but Rails sets a session cookie. It was nice in Rails 2.2 to be able to explicitly disable the session. In Rails 2.3 if you find a session cookie, you have to track down any place where you even look at a session value to prevent the cookie from being set. This is why this still seems like a bug. Ryan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
