I was moving my personal site to Phoenix LiveView and noticed the there is always a session cookie present.
I’m wondering if it’s possible to run a LiveView application without cookies. There is this EU cookie law that there needs to be a warning if the site is using cookies and I would like to just have no cookies at all, to skip this cookie popup.
So the questions is:
How to run a Phoenix site without sessions/cookies?
How to run a LiveView enabled Phoenix site without sessions/cookies?
Not a lawyer, but the EU cookie law does not disallow all cookies. It explicitly allows those “strictly necessary for the delivery of a service requested by the user”, with one such example being a cookie used to implement a shopping cart in an e-commerce application. As long as you don’t use the session cookie for other tracking purposes not necessary for the functioning of your app, you should be fine.
The session cookie is in most cases “strictly necessary”, as your app cannot really work without, if it has to maintain any state. Conversely, third party cookies and tracking pixels are not strictly necessary, and would definitely fall into the ones you should be able to opt-out from. In between, there is a large gray area.
That’s the thing - I don’t want to get some letter from a lawyer and then explain to him the situation. If it is possible I just want to disable the source of the problem - cookies. Then I just don’t care.
Please let’s not debate the law and how to interpret it.
[debug] LiveView session was misconfigured or the user token is outdated.
1) Ensure your session configuration in your endpoint is in a module attribute:
@session_options [
...
]
2) Change the `plug Plug.Session` to use said attribute:
plug Plug.Session, @session_options
3) Also pass the `@session_options` to your LiveView socket:
socket "/live", Phoenix.LiveView.Socket,
websocket: [connect_info: [session: @session_options]]
4) Define the CSRF meta tag inside the `<head>` tag in your layout:
<%= csrf_meta_tag() %>
5) Pass it forward in your app.js:
let csrfToken = document.querySelector("meta[name='csrf-token']").getAttribute("content");
let liveSocket = new LiveSocket("/live", Socket, {params: {_csrf_token: csrfToken}});
I’m having doubts that it can be used without session.
Actually, the issue is not solved yet In dev I see no cookies. but…
There are 2 problems:
In production there is still a cookie being created. Could not figure out yet, what is causing it.
Tests for live views don’t work anymore. I think they are always trying to load something from the session. It is strange, because in development the live_view works perfectly fine and no cookies are created.