However, when hitting our system with say 10,000 API requests, we get
10,000 session objects in the database. Which seems like a big waste
of resources.
Is there a way to prevent this?
Basically we want API requests to start with an empty in-memory-only
session hash which is dropped after the request finishes. Somewhat
related, we also don't want to return an HTTP Header Set-Cookie:
_session_id=...etc.
Seems to me like you have no need for sessions at all, since you don’t want the session cookie set.
In your API controller, just put “session :disabled => true” on top.
If you do need sessions, I would suggest just skipping the active record store sessions completely and either moving on to the cookiebased store or a memcache store (which will automatically drop sessions once it hits the memory treshold iirc).
In your API controller, just put "session :disabled => true" on top.
That's a noop function, it results in a deprecation warning:
"Disabling sessions for a single controller has been deprecated.
Sessions are now lazy loaded. So if you don't access them, consider
them off. You can still modify the session cookie options with
request.session_options."
If you do need sessions, I would suggest just skipping the active
record store sessions completely and either moving on to the
cookiebased store or a memcache store (which will automatically drop
sessions once it hits the memory treshold iirc).
We do need sessions for browser requests.
We specifically don't want a cookie based store due to security issues
with that.
Memcache store might be an option, but then it's still making
unnecessary tcp/ip calls to find, create and update session objects
for API requests which is a waste of resources.
What that means, I believe, is that if you do not access the session
then it will not be created. That implies that somewhere in your API
requests you are accessing the session. Find that/them and remove the
access to the session and no session will be created for those
requests.