I am trying to implement a Xero Webhook in my Ruby on Rails application. However, the Xero documentation says that the response should not contain any cookie. Hence, I am trying to find a way to remove all the cookies from the response, but I have no luck. There is always a cookie with name _rails-devise_session which is the cookie to support sessions.
How can I have this cookie removed (or not present in the first place) but only for the specific end-point that serves the Xero Webhook?
Due to the inflexibility and poor documentation of the Xero web hook API I created a file outside the framework and used .htaccess to to direct the incoming traffic.
Invalidating a cookie does not work, nor does setting the value to null. If an array key for a cookie exists at all, the web hook will not function.
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .*xerowebhook /webhooklanding.php [QSA,L,END]
RewriteRule ^ index.php [QSA,L]
I have yet to find a viable alternative where session cookies are in use.
protect_from_forgery with: :null_session
in my controller, worked for me.