config.action_controller.session_store = :active_record_store
However, when hitting our system with say 10,000 API requests, we get
10,000 session objects in the database. Which seems like a big waste
Is there a way to prevent this?
Basically we want API requests to start with an empty in-memory-only
session hash which is dropped after the request finishes. Somewhat
related, we also don't want to return an HTTP Header Set-Cookie:
PS. Using rails 2.3.11
Seems to me like you have no need for sessions at all, since you don’t want the session cookie set.
In your API controller, just put “session :disabled => true” on top.
If you do need sessions, I would suggest just skipping the active record store sessions completely and either moving on to the cookiebased store or a memcache store (which will automatically drop sessions once it hits the memory treshold iirc).
Peter De Berdt
In your API controller, just put "session :disabled => true" on top.
That's a noop function, it results in a deprecation warning:
"Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don't access them, consider
them off. You can still modify the session cookie options with
If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).
We do need sessions for browser requests.
We specifically don't want a cookie based store due to security issues
Memcache store might be an option, but then it's still making
unnecessary tcp/ip calls to find, create and update session objects
for API requests which is a waste of resources.
What that means, I believe, is that if you do not access the session
then it will not be created. That implies that somewhere in your API
requests you are accessing the session. Find that/them and remove the
access to the session and no session will be created for those