Using an ETS table to store sessions, how do I prevent the set-cookie header from being sent?

NaN · March 10, 2025, 6:51pm

Im using an ETS table to store sessions. The Cookie is not used to when accessing the ETS table. How do I prevent the set-cookie header from being sent?

This has no effect:

defmodule Session.RemCookies do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    register_before_send(conn, fn conn ->
      # Remove all Set-Cookie headers from response
      %{conn | resp_headers: Enum.reject(conn.resp_headers, fn {key, _} ->
        String.downcase(key) == "set-cookie"
      end)}
    end)
  end
end

derek-zhou · March 10, 2025, 6:57pm

Even if you have the session stored in ETS, you still need to store the session key as a cookie. Otherwise, how does your application tell which session to use for incoming request?

NaN · March 10, 2025, 6:58pm

Passed as a query param. Like I said, its not used. Its spec for a reason. Cookie cannot be used.

derek-zhou · March 10, 2025, 7:08pm

While what you described might be theoretically possible, I don’t think it is supported by Plug.Session. The relevant code is here:

github.com/elixir-plug/plug

lib/plug/session.ex

587f365b8


      
              key: key,
              cookie_opts: cookie_opts
            }
          end
          
          @impl true
          def call(conn, config) do
            Conn.put_private(conn, :plug_session_fetch, fetch_session(config))
          end
          
          defp fetch_session(config) do
            %{store: store, store_config: store_config, key: key} = config
          
            fn conn ->
              {sid, session} =
                if cookie = Plug.Conn.get_cookies(conn)[key] do
                  store.get(conn, cookie, store_config)
                else
                  {nil, %{}}
                end

It looks for a cookie.

NaN · March 10, 2025, 7:26pm

Im not using a cookie because its a distributed service and uses cross site access for different elements on the page… the cookie is ignored.

derek-zhou · March 10, 2025, 7:32pm

If you are set on your way, I suggest you to write your own version of Plug.Session instead of twisting its arm. Plug.Session is only ~100 LOC.

You’d need to pass this query param for every single internal links, and heaven forbid if one of your user share a link.

NaN · March 10, 2025, 7:43pm

How would you approach otherwise?

lud · March 10, 2025, 7:47pm

Can you use a different header?

dimitarvp · March 10, 2025, 7:48pm

If you have a common host and the services are all subdomains then a wildcard cookie could do the trick and circumvent the problem you mentioned above.

Or use JWT.

derek-zhou · March 10, 2025, 7:55pm

I do not understand your constraint, so please take the following with a grain of salt.

You can store a security token in local storage and use it as sorta API key in a custom header. 2 downsides:

Initial request will not have this key and will not be customized
You really need to make sure all javascript you use is trustworthy