ActiveStorage: Cache-Control: max-age=3155695200, public and Set-Cookie: _app_session=

In using ActiveStorage’s proxy mode:

config.active_storage.resolve_model_to_route = :rails_storage_proxy

I was surprised to find that Rails returns both Cache-Control: max-age=3155695200, public AND Set-Cookie: _app_session=... when GETing ActiveStorage uploaded files via the proxy URL. Caching cookie session data does not seem like a good idea and I was surprised to find little mention of this online or in the codebase (maybe I’m missing something obvious?).

As a work around I have setup an initializer to instruct the ActiveStorage::Blobs::ProxyController controller to not return the session AND not cache any set-cookie headers should they slip through on the show action:

Rails.application.config.to_prepare do
  ActiveStorage::Blobs::ProxyController.class_eval do
    after_action -> { request.session_options[:skip] = true }, only: :show
    after_action -> { response.headers["Cache-Control"].present? ? response.headers["Cache-Control"] += ", no-cache='set-cookie'" : response.headers["Cache-Control"] = "no-cache='set-cookie'" }, only: :show

It seems like there should be some convention or logic in Rails regarding Cache-Control and Set-Cookie where Rails automatically strips Set-Cookie headers from any responses that could result in shared caches (proxies, CDNs) storing cookie data. Has this been discussed or considered before? Is there a better approach?

@Sean I came on here exactly because of this issue.

Has this workaround been successful for you? Were you able to get an answer to your question in any other venue?


I found a discussion of this on the Rails repo. There are some good answers there for anyone else who counters this.