[WIP] Skip writing session for all API GET requests

[jrafanie]

TODO: Determine if we can filter this to just GET requests and if we need to watch for the CSRF protections which generally require saving cookies.

Before

Note the /api/notifications write_session below:

[----] D, [...#59755:c954] DEBUG -- development: RackSessionDalliLogger#find_session   id: a6562c80-e08c-48f9-821c-1c2da016cd02 method: GET fullpath: /dashboard/show
[----] D, [...#59755:c954] DEBUG -- development: RackSessionDalliLogger#write_session  id: a6562c80-e08c-48f9-821c-1c2da016cd02 method: GET fullpath: /dashboard/show
[----] D, [...#59755:f57bc] DEBUG -- development: RackSessionDalliLogger#find_session   id: 770573c7-586c-4a3c-967f-88a96b8b3a56 method: GET fullpath: /ws/notifications
[----] D, [...#59755:f57bc] DEBUG -- development: RackSessionDalliLogger#write_session  id: 770573c7-586c-4a3c-967f-88a96b8b3a56 method: GET fullpath: /ws/notifications
[----] D, [...#59755:f57a8] DEBUG -- development: RackSessionDalliLogger#find_session   id: d97be5db-108a-43eb-9e14-19dd7ae8c824 method: GET fullpath: /api/notifications?expand=resources&attributes=details&sort_by=id&sort_order=desc&limit=100
[----] D, [...#59755:f5910] DEBUG -- development: RackSessionDalliLogger#find_session   id: f6caa941-b1bb-4406-8a49-7a778b6d3baf method: GET fullpath: /dashboard/widget_report_data/24
[----] D, [...#59755:f58fc] DEBUG -- development: RackSessionDalliLogger#find_session   id: d170f7cd-3bec-4a36-8834-6014a71c3e1c method: GET fullpath: /dashboard/widget_chart_data/9
[----] D, [...#59755:c954] DEBUG -- development: RackSessionDalliLogger#find_session   id: 8b81f793-5d7e-494c-9881-42f595c4cd24 method: GET fullpath: /dashboard/widget_report_data/22
[----] D, [...#59755:f57bc] DEBUG -- development: RackSessionDalliLogger#find_session   id: 5eb52e22-0caf-4a6a-9a1e-6d4b10f60e8e method: GET fullpath: /dashboard/widget_report_data/21
[----] D, [...#59755:f57a8] DEBUG -- development: RackSessionDalliLogger#write_session  id: d97be5db-108a-43eb-9e14-19dd7ae8c824 method: GET fullpath: /api/notifications?expand=resources&attributes=details&sort_by=id&sort_order=desc&limit=100
[----] D, [...#59755:f5910] DEBUG -- development: RackSessionDalliLogger#find_session   id: a8843da1-b002-4c64-81fb-fb57415cbe90 method: GET fullpath: /dashboard/widget_chart_data/10

After

Including the UI classic change in ManageIQ/manageiq-ui-classic#9533

Note, there is no /api/notifications GET write_session line:

[----] D, [...#59627:c954] DEBUG -- development: RackSessionDalliLogger#find_session   id: e2d98313-97db-4f2c-9353-d0173e416eea method: GET fullpath: /dashboard/show
[----] D, [...#59627:c954] DEBUG -- development: RackSessionDalliLogger#write_session  id: e2d98313-97db-4f2c-9353-d0173e416eea method: GET fullpath: /dashboard/show
[----] D, [...#59627:f5794] DEBUG -- development: RackSessionDalliLogger#find_session   id: 60446a89-c410-4b13-ad98-d6cfddb0ae70 method: GET fullpath: /api/notifications?expand=resources&attributes=details&sort_by=id&sort_order=desc&limit=100
[----] D, [...#59627:f5780] DEBUG -- development: RackSessionDalliLogger#find_session   id: 2c076af9-89e5-4938-836d-3da42ca1a1eb method: GET fullpath: /ws/notifications
[----] D, [...#59627:f5780] DEBUG -- development: RackSessionDalliLogger#write_session  id: 2c076af9-89e5-4938-836d-3da42ca1a1eb method: GET fullpath: /ws/notifications
[----] D, [...#59627:f5780] DEBUG -- development: RackSessionDalliLogger#find_session   id: b5f7219e-1c9c-4049-8d2a-71e7e8edd277 method: GET fullpath: /dashboard/widget_report_data/21
[----] D, [...#59627:f58e8] DEBUG -- development: RackSessionDalliLogger#find_session   id: 34228ef9-1f06-4e6b-9447-15704505db12 method: GET fullpath: /dashboard/widget_report_data/22
[----] D, [...#59627:c954] DEBUG -- development: RackSessionDalliLogger#find_session   id: 6cb372fd-8f02-4dbd-807f-08eb712896d2 method: GET fullpath: /dashboard/widget_report_data/24
[----] D, [...#59627:f58d4] DEBUG -- development: RackSessionDalliLogger#find_session   id: 1fbacc6d-910f-4136-9147-1057ce829b21 method: GET fullpath: /dashboard/widget_chart_data/9
[----] D, [...#59627:f5780] DEBUG -- development: RackSessionDalliLogger#find_session   id: be3684f0-f830-46ca-bd96-b17db9f4cd02 method: GET fullpath: /dashboard/widget_chart_data/10

[kbrock]

Thought we used OPTIONS?
Probably not too many times but may be a minor addition

Suggested change

	request.session_options[:skip] = true if %w[GET HEAD].include?(request.request_method)
	request.session_options[:skip] = true if %w[GET HEAD OPTIONS].include?(request.request_method)

[jrafanie]

I'm fine with adding it. Do you have any idea why this isn't the default? Why would you want contention on session writes for read only options like GET/HEAD/OPTIONS? Maybe to update ttl to timeout cookies?

[kbrock]

yea. great question.
I guess everything can have side effects?
Whether changing a cached value or a counter or who knows what.

But I like where you are heading here.
In our main app, it is not rest. GET explorer or GET children for an explorer does modify the session and the request is sticky.
polling on whether a task is complete or fetching a pdf uses the session (possibly modifies it)

[Fryguy]

ttl is actually an important one - every GET should technically extend the session time - but we can also do that differently - perhaps with a dedicated memcached d that isn't part of the session content

[jrafanie]

In discussion, Jason thinks we might not need to gate this for GET as all requests should be able to bypass writing session. 🙏 ❤️

[jrafanie]

We should make sure some pages using react work after trying to bypass session writes for all request... also make sure API requests outside of the UI still work when reusing a token.