Broken Images, Broken Rails

One of the features of Rails that I find pretty nifty as a web developer is the ability to easily turn off sessions for parts of a web-app or for the entire web application. This is important, because sessions on a high traffic website can cause tremendous strain on a server. This is how you turn off sessions site-wide in Rails:

1
2
3
4

class ApplicationController < ActionController::Base
  session :off
end

This turns off sessions to all controllers that inherit from ApplicationController—or at least that’s what the documentation tells you. So, I was surprised to learn that one of my controllers was still generating sessions. Here it is:

1
2
3
4
5

class OtherController < ApplicationController
  def books
  end
end

What in the world is going on here? Of course, if you search online nobody else in the world is having the same problem, or they’re just keeping quiet about it. Have the Rails gods screwed up (oops, blasphemy), or am I doing something wrong (probably).

The answer appears to be a combination of the two. A page rendered by OtherController happened to contain an image that was actually not present, as evidenced by the following snippet in the log files:

ActionController::RoutingError (Recognition failed for "/images/gradient_back.gif"):
    /usr/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/routing.rb:522:in `recognition_failed'
    /usr/lib/ruby/gems/1.8/gems/actionpack-1.12.5/lib/action_controller/routing.rb:512:in `recognize!'
    /usr/lib/ruby/gems/1.8/gems/rails-1.1.6/lib/dispatcher.rb:38:in `dispatch'

Apparently, this triggers Rails to generate a session. Perhaps the Rails folks can rationalize this as useful, but it seems like a clear design flaw to me. Unscrupulous users can create sessions simply by attempting to load non-existent URLs— BAD, BAD, BAD…