在金字塔中，如何防止cookie设置为某些响应？

Question

在金字塔中，使用烧杯进行会话，我该如何做出某些响应不包括cookie？

目前，如果我在应用程序上卷曲任何URL，我会收回类似的内容：

HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Thu, 07 Nov 2013 02:14:45 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 776
Connection: keep-alive
Set-Cookie: beaker.session.id=0a6d945c09884ca29d73bc4ff4d09ff0; expires=Thu, 07-Nov-2013 03:14:45 GMT; httponly; Path=/; secure

我不需要所有请求设置的cookie。例如，我想将其从具有子域“ API”的请求中删除。我尝试更改：

def main(global_config, **settings):
    session_factory = session_factory_from_settings(settings)
    config = Configurator(settings=settings, root_factory=get_root)
    config.set_session_factory(session_factory)
    return config.make_wsgi_app()

至：

def main(global_config, **settings):
    session_factory = session_factory_from_settings(settings)
    config = Configurator(settings=settings, root_factory=get_root)
    #config.set_session_factory(session_factory)
    return MethodOverride(config, session_factory)

class MethodOverride(object):

    def __init__(self, config, session_factory):
        import copy
        self.config = copy.deepcopy(config)
        config.set_session_factory(session_factory)
        self.application = config.make_wsgi_app()

    def __call__(self, environ, start_response):
        if "api" == environ['HTTP_HOST'].split('.')[0]:
            self.application = self.config.make_wsgi_app()

我认为这会这样做，以便不会在这些情况下设置会话工厂，因此没有cookie。我不了解中间件的情况。我也可以很好地弄清楚它使其制作方法，以便具有“应用程序/JSON” MIMETYPE不包含该cookie的响应对象。任何帮助将非常感激。

Answer 1

One way you could do this is by using an NewResponse subscriber that would modify the outgoing response.

For example:

def new_response_subscriber(event):
    request = event.request
    response = event.response

    if "api" == request.environ['HTTP_HOST'].split('.')[0]:
        if 'Set-Cookie' in response.headers:
            del response.headers['Set-Cookie']

This would be one way to remove all cookies from all responses. Another way to do it would be to create a new session factory that checks to see if the current URL is an API request, and if so, it doesn't create a session at all.