Cookieless / Sessionless Phoenix and LiveView

I was moving my personal site to Phoenix LiveView and noticed the there is always a session cookie present.

I’m wondering if it’s possible to run a LiveView application without cookies. There is this EU cookie law that there needs to be a warning if the site is using cookies and I would like to just have no cookies at all, to skip this cookie popup.

So the questions is:

  1. How to run a Phoenix site without sessions/cookies?
  2. How to run a LiveView enabled Phoenix site without sessions/cookies?
1 Like

Not a lawyer, but the EU cookie law does not disallow all cookies. It explicitly allows those “strictly necessary for the delivery of a service requested by the user”, with one such example being a cookie used to implement a shopping cart in an e-commerce application. As long as you don’t use the session cookie for other tracking purposes not necessary for the functioning of your app, you should be fine.

The session cookie is in most cases “strictly necessary”, as your app cannot really work without, if it has to maintain any state. Conversely, third party cookies and tracking pixels are not strictly necessary, and would definitely fall into the ones you should be able to opt-out from. In between, there is a large gray area.

Here’s Wikipedia on that: https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive_2002#Cookies

3 Likes

That’s the thing - I don’t want to get some letter from a lawyer and then explain to him the situation. If it is possible I just want to disable the source of the problem - cookies. Then I just don’t care.

Please let’s not debate the law and how to interpret it.

The phoenix part is quite simple: remove the :fetch_session plug and all plugs depending on it. Also do not manually set cookies / use the session.

Same should be possible for live_view I guess, but again you cannot use any stuff depending on it, which by now should only be flash messages.

1 Like

If I do that, the LiveView keeps crashing:

[debug] LiveView session was misconfigured or the user token is outdated.

1) Ensure your session configuration in your endpoint is in a module attribute:

    @session_options [
      ...
    ]

2) Change the `plug Plug.Session` to use said attribute:

    plug Plug.Session, @session_options

3) Also pass the `@session_options` to your LiveView socket:

    socket "/live", Phoenix.LiveView.Socket,
      websocket: [connect_info: [session: @session_options]]

4) Define the CSRF meta tag inside the `<head>` tag in your layout:

    <%= csrf_meta_tag() %>

5) Pass it forward in your app.js:

    let csrfToken = document.querySelector("meta[name='csrf-token']").getAttribute("content");
    let liveSocket = new LiveSocket("/live", Socket, {params: {_csrf_token: csrfToken}});

I’m having doubts that it can be used without session.

This should only pop-up if you supply a :session key for the connect_info options:

Yepp. If I change

socket "/live", Phoenix.LiveView.Socket, websocket: [connect_info: [session: @session_options]]

to

socket "/live", Phoenix.LiveView.Socket

Then it works and no cookies are created. Sweet.

Actually, the issue is not solved yet :frowning: In dev I see no cookies. but…

There are 2 problems:

  1. In production there is still a cookie being created. Could not figure out yet, what is causing it.
  2. Tests for live views don’t work anymore. I think they are always trying to load something from the session. It is strange, because in development the live_view works perfectly fine and no cookies are created.
1) test shows privacy policy (AppWeb.PageLiveTest)
     test/byteflip_web/live/page_live_test.exs:23
     ** (ArgumentError) session not fetched, call fetch_session/2
     code: {:ok, live_view, _disconnected_html} = live(conn, "/")
     stacktrace:
       (plug 1.10.0) lib/plug/conn.ex:1557: Plug.Conn.get_session/1
       (phoenix_live_view 0.12.1) lib/phoenix_live_view/test/live_view_test.ex:343: Phoenix.LiveViewTest.do_connect/7
       test/app_web/live/page_live_test.exs:24: (test)

What is more strange. In production if I disable cookies in my browser - the page keeps reloading.

Fixed the problem 1. Was a stupid mistake on my end. Was untar-ing the release in the wrong folder. Oops :slight_smile:

Additionally what I did: in app.js removed the csrf_token thing. and in the layout removed also the csrf token tag.

Still don’t know what to do with tests.

Tests issue is a bug. Trying to fix it here: https://github.com/phoenixframework/phoenix_live_view/issues/820

3 Likes

And it’s fixed in master. Got the hearts from José himself. Feeling pretty good about myself :smiley:

4 Likes