[SOLVED] In Pyramid, how can prevent cookies from being set in certain responses?

In Pyramid, how can prevent cookies from being set in certain responses?

In Pyramid, using beaker for sessions, how can I make it so certain responses do not include cookies?

Currently if I curl any url on my app I'll get back something like:

HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Thu, 07 Nov 2013 02:14:45 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 776
Connection: keep-alive
Set-Cookie: beaker.session.id=0a6d945c09884ca29d73bc4ff4d09ff0; expires=Thu, 07-Nov-2013 03:14:45 GMT; httponly; Path=/; secure

I don't need that cookie being set with all requests. For example I'd like to remove it from requests that have the subdomain "api". I tried changing:

def main(global_config, **settings):
    session_factory = session_factory_from_settings(settings)
    config = Configurator(settings=settings, root_factory=get_root)
    config.set_session_factory(session_factory)
    return config.make_wsgi_app()

to:

def main(global_config, **settings):
    session_factory = session_factory_from_settings(settings)
    config = Configurator(settings=settings, root_factory=get_root)
    #config.set_session_factory(session_factory)
    return MethodOverride(config, session_factory)

class MethodOverride(object):

    def __init__(self, config, session_factory):
        import copy
        self.config = copy.deepcopy(config)
        config.set_session_factory(session_factory)
        self.application = config.make_wsgi_app()

    def __call__(self, environ, start_response):
        if "api" == environ['HTTP_HOST'].split('.')[0]:
            self.application = self.config.make_wsgi_app()

Which I thought would make it so that the session factory wouldn't be set in those instances and therefore no cookies. I don't understand what's going on with the middleware well enough. I'd also be fine with figuring out a way to make it so Response objects that have an "application/json" mimetype don't include that cookie. Any help would be much appreciated.

Solution

One way you could do this is by using an NewResponse subscriber that would modify the outgoing response.

For example:

def new_response_subscriber(event):
    request = event.request
    response = event.response

    if "api" == request.environ['HTTP_HOST'].split('.')[0]:
        if 'Set-Cookie' in response.headers:
            del response.headers['Set-Cookie']

This would be one way to remove all cookies from all responses. Another way to do it would be to create a new session factory that checks to see if the current URL is an API request, and if so, it doesn't create a session at all.