Using LiveView without session and cookie (sometimes)

Phoenix Forum Questions / Help
, , ,
1

A new project has a requirement that browsing content and searching while not logged in involves zero cookies. When the same pages are viewed while logged in (with the app’s session cookie present), users should be able to post comments after authorisation.

I’d like to use LiveView for some pages/sections of pages, but I’m not sure if that’s going to be possible in a secure way given the above requirement.

So far, I’ve created a simple Plug to drop the Conn session if the current_user assign is not present, which I’ll apply to public-facing routes aside from the login page. I haven’t yet added user authentication, but I believe this will do what I need for dead views: preserving the session when a user is logged in (allowing for access to the user token and CSRF protection), and dropping the session when no user is logged in (no session cookie).

defmodule MyAppWeb.Session do
  import Plug.Conn

  def remove_session_if_no_user(conn, _opts) do
    unless conn.assigns[:current_user] do
      conn
      |> clear_session()
      |> configure_session([drop: true])
    else
      conn
    end
  end
end

defmodule MyAppWeb do
  # ...

  def router do
    quote do
      #...

      import MyAppWeb.Session
    end
  end

defmodule MyAppWeb.Router do
  use MyAppWeb, :router

  pipeline :potentially_cookieless do
    plug :remove_session_if_no_user
  end

Session options are removed from the socket mount config:

defmodule MyAppWeb.Endpoint do
  # ...

  # socket "/live", Phoenix.LiveView.Socket,
  #   websocket: [connect_info: [session: @session_options]],
  #   longpoll: [connect_info: [session: @session_options]]
  socket "/live", Phoenix.LiveView.Socket

No session cookie is set in the browser, and LiveView works. :+1:

However, when I later come to providing for logged-in user commenting, if doing so via LiveView I should use the user token from the session on LiveView mount, as shown here, which would require the session options to be present in the Endpoint socket mount config.

When the session options are present in the Endpoint socket mount config, and there is no session because there is no user thanks to my plug, the LiveView dies with a debug message containing the six steps to configure the session.

Can LiveView somehow be configured to be able to both pick up on the session when it’s there and to survive when it’s not?

For example, two socket mount configurations, with/without the connect_info session options?

Some resources I’ve read:

Phoenix and LiveView without cookies - Byteflip

Cookieless / Sessionless Phoenix and LiveView

Thanks.

1 Like
2

You would need to use distinct sockets for authenticated and unauthenticated usecases and update the js to connect to the correct one accordingly.

Though I‘d wonder what this „no cookie“ requirement is about given basically all legal requirements around cookies exclude session cookies from being a problem.

3 Likes
3

Great - many thanks. I have the basics of that working now, and am picking one of the two socket mount paths based on the presence or not of a data-attr in the HTML, which is dependent on the @current_user assign. Does that seem like a reasonable approach to you? (I think that if someone forces their browser to connect to the auth-in-progress-or-authed/session socket rather than the no-auth/no-session socket, they’d still need a valid user token at LV mounting to do anything.)

I think I just need to make sure that a full page load occurs after login so that the new JavaScript-set socket mount path is then used, which shouldn’t be a problem.

Yes, the no-cookie requirement is more of a marketing point the client is keen to be able to make rather than being due to legal requirements.