Recommended solution to token authentication without fallback to session

[mwangersjo]

First, thanks for all the work put in to this, it's really appreciated. I'm setting up this for the API part of an app I'm building and have some problems that I've seen being brought up in issues throughout the last couple of years. I'm not entirely sure what the state of this is with the current rails versions and current state of simple token authentication. To sum up, it would be nice to know if there is any solution to this that you recommend.

• When I log in from the web app part of my rails app and in that way establish a session I am able to access the controllers that are supposed to be protected by token authentication. I can see that there is a session being used.

I've tried to patch together some of the comments from various issues but can't get it to work in a way where the session is not used even though I would like them only to accept tokens for authentication. Sorry if this is a very general question but it feels like there are a lot of threads about this promoting different approaches and I got confused jumping between all of them, especially since some are a couple of years old and promote now obsolete syntax and so on.

[sauy7]

I solved this by stripping cookies from all my API endpoints using this Rack middleware: https://github.com/icoretech/rack-strip-cookies