Skip to content

Drop the session cookie if it's useless#2865

Merged
david-a-wheeler merged 1 commit into
mainfrom
delete_cookie
Jun 26, 2026
Merged

Drop the session cookie if it's useless#2865
david-a-wheeler merged 1 commit into
mainfrom
delete_cookie

Conversation

@david-a-wheeler

Copy link
Copy Markdown
Collaborator

Drop the session cookie if it's useless, to improve our CDN caching.

A browser that received a session cookie (e.g. just logged out, or shown a stored flash) keeps sending it until the browser closes. Then the Fastly rule passes every such request to origin and the user never gets the CDN-cached anonymous pages. The method omit_session_cookie only skips writing a cookie; it can't remove one the browser already holds.

This commit adds an after_action, drop_unneeded_session_cookie, that actively expires the cookie when: the browser sent it, the user is not logged in, there is no
flash to carry, and the session holds no real per-user content. The "real content" check (session_has_user_content?) ignores framework bookkeeping keys (Rack's always-present session_id and a spent flash) and is read-only, since mutating the session itself generates a session_id. It fails safe: unknown keys count as content, and anonymous requests that did not send the cookie get no Set-Cookie at all (so cached responses are never polluted).

SESSION_COOKIE_NAME is read from config so a cookie rename stays correct.

Tests (test/integration/drop_session_cookie_test.rb) check various cases. They assert the observable
cookie outcome (not middleware internals) across: spent cookie deleted, no-cookie emits nothing, logged-in kept, CSRF-token kept, flash-display kept, and spent-flash gone on the next request.

Drop the session cookie if it's useless, to improve our CDN caching.

A browser that received a session cookie (e.g. just logged out, or shown a
stored flash) keeps sending it until the browser closes. Then the Fastly rule
passes every such request to origin and the user never gets the CDN-cached
anonymous pages. The method omit_session_cookie only skips *writing*
a cookie; it can't remove one the browser already holds.

This commit adds an after_action, drop_unneeded_session_cookie,
that actively expires the cookie when: the browser sent it,
the user is not logged in, there is no
flash to carry, and the session holds no real per-user content. The "real
content" check (session_has_user_content?) ignores framework bookkeeping
keys (Rack's always-present session_id and a spent flash) and is read-only,
since mutating the session itself generates a session_id. It fails safe:
unknown keys count as content, and anonymous requests that did not send the
cookie get no Set-Cookie at all (so cached responses are never polluted).

SESSION_COOKIE_NAME is read from config so a cookie rename stays correct.

Tests (test/integration/drop_session_cookie_test.rb) check various cases.
They assert the observable
cookie outcome (not middleware internals) across: spent cookie deleted,
no-cookie emits nothing, logged-in kept, CSRF-token kept, flash-display
kept, and spent-flash gone on the next request.

Co-Authored-By: David A. Wheeler <dwheeler@dwheeler.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
@david-a-wheeler david-a-wheeler merged commit 1d6b3ea into main Jun 26, 2026
6 checks passed
@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (9d45362) to head (bba57c9).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff            @@
##              main     #2865   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           79        79           
  Lines         4343      4355   +12     
=========================================
+ Hits          4343      4355   +12     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant