Why do we need session cookies?

Pollux

I hope it's not a rather stupid question.

In my understanding, a session cookie is necessary to store information that persists between HTTP requests, as HTTP itself is a stateless protocol. In the case of an SPA (single-page application) however, we don't switch between separate pages, so preserving information between pages is already baked into the SPA principle.

So why do we need session cookies?

I would like to state in my privacy protection page that cookies aren't stored at all. The only necessity to use cookies, which would be easy to explain to users, is the preservation of the logged-in state beyond the browser session. But this would be due to an explicit action (clicking the checkbox in the login modal window).

luceos

Pollux we are storing a client session cookie with the user token. If we wouldn't do that you'd need to log in every, single time ?

Pollux

luceos If we wouldn't do that you'd need to log in every, single time ?

I understand what a session cookie does. But what do you mean with "every single time". In the case of a page reload I would understand the need to log in again, in the case of just moving between index view, tag views and discussions without hitting Ctrl R, why would we loose the user token? Why is it not stored within the SPA?

And why do we need a user token if a visitor is not logged in?

luceos

We don't need a token for guests, we need them for users.
We don't need to store the token in a cookie just to browse between pages while within the SPA, the token is saved inside the SPA.
However when we refresh the page or open the tab; the html is rebuild and so the data contained inside the SPA is not available. Using a cookie allows us to retrieve the token from session without the need to log in.

Pollux

luceos We don't need a token for guests, we need them for users.

Great. But at the moment a flarum_session cookies is created for guests as well. Would it be feasable to create a session cookie only once a user logs in? Or is there any functionality of the session cookies that is needed for guests as well?

We don't need to store the token in a cookie just to browse between pages while within the SPA, the token is saved inside the SPA.
However when we refresh the page or open the tab; the html is rebuild and so the data contained inside the SPA is not available. Using a cookie allows us to retrieve the token from session without the need to log in.

Thanks, that's how I understood it.

That's a benefit that can be easily explained to registered users, and if they stubbornly don't like cookies they'd have to live with the side effects (having to log in every time they refresh the page or open a new tab). Right now however, it's not possible to log in with cookies disabled so they don't have the freedom to choose between the two options.

luceos

Pollux But at the moment a flarum_session cookies is created for guests as well.

Then I might be wrong in what I explained ? Maybe someone else can supplement to this discussion.

arajdon

It's just a guess, but you might need cookies for the welcome message you can click away.

Pollux

arajdon It's just a guess, but you might need cookies for the welcome message you can click away.

I just tested it: Deleting the flarum_session cookie doesn't bring back the hidden welcome message. The state of the welcome message however is stored via HTML5 Web Storage, a field named welcomeHidden.

clarkwinkelmann

Based on my experience with core I don't think Flarum requires cookies for guests.

Yet it's the easiest solution code-wise. The session cookie and storage is built with Symfony's session manager. If you want to check if the user is logged in, you have to boot the session manager, which will create the cookie if it doesn't exist.

You could probably only check for cookies and not create one until you actually login, but I'm afraid you might have to rewrite a lot of the code that manages the whole session ?

Not having a session available all the time could make building some kind of extensions harder if they have to ask for the session to boot and might result in some hacks building around the official session manager...

For example cookies can be useful for bot detection / rate limiting / analytics even if you're not logged in (so you're not asked to fill a captcha every single click for example). But I don't know if any extension uses that kind of feature right now.

Pollux

clarkwinkelmann You could probably only check for cookies and not create one until you actually login, but I'm afraid you might have to rewrite a lot of the code that manages the whole session ?

I did some more research.

It's indeed the behaviour of Symfony's session manager to always create a session cookie even if it only has to check it? Attempts to change the default behaviour of Symphony's session manager seem unsuccessful so far:

https://github.com/symfony/symfony/pull/6388
https://github.com/symfony/symfony/issues/6917

If you don't want to create a session for anonymous users, you have to check for a previous session yourself:

https://symfony.com/doc/current/session/avoid_session_start.html

Even if the user is not logged in and even if you haven't created any flash messages, just calling the get() (or even has()) method of the flashBag will start a session. This may hurt your application performance because all users will receive a session cookie. To avoid this behavior, add a check before trying to access the flash messages:
{% if app.request.hasPreviousSession %}
    {% for message in app.flashes('notice') %}
        <div class="flash-notice">
            {{ message }}
        </div>
    {% endfor %}
{% endif %}

Maybe it's not that complicated and could be done at Flarum. If Flarum has its own methods to get and set session data, there should be a single point where a fix would be needed.

clarkwinkelmann Not having a session available all the time could make building some kind of extensions harder if they have to ask for the session to boot and might result in some hacks building around the official session manager...

If Flarum doesn't guarantee the existence of a session, nobody will be able to rely on that. If there's no extension yet depending on a session for anonymous visitors, maybe we should take advantage of the situation. ? And if an extension will need a session for anonymous visitors in the future it will have to create it itself.

Do you think I should open an issue at github?

luceos

Where did we diverge from session handling in a spa to session handling in our backend 🤫

clarkwinkelmann

luceos because the cookies could be removed and the code responsible for those is server side ?

By the way your emoji isn't showing up on my system ?

Pollux

I decided to move my answer here A) because it fits here and B) not to distract from @Sanguine's topic.

[deleted] You'd have to store a cookie in the users browser to remember their choices - which sends kinda counter productive given they don't want cookies in the first place 🤔but that's easily worked around by telling them that it's an essential cookie for the site to function correctly.

That's not an easy workaround, it's an intelligence insulting stupidity. I used to block cookies in general and allow them only in cases where I understood why they were needed. Now I have to accept cookies solely to not get pestered by banners repeatedly asking me wether I mind to have cookies stored on my computer. And this in the name of protection of users privacy. I don't get it.

Pollux

[deleted] but that's easily worked around by telling them that it's an essential cookie for the site to function correctly.

That's not an easy workaround, it's an intelligence insulting stupidity. BTW: Flarum's functionalities don't need cookies for visitors.

But let's not get distracted from this discussion's topic and move on with that aspect here: Pollux

[deleted]

@Pollux Flarum's functionalities don't need cookies for visitors.

It's more than just Flarum. You may have extensions like recaptcha and social login for example that will include cookies. If you host your site through cloudflare, that will also include a cookie. You have no real way of remembering the user's cookie preferences unless you store it locally in their browser.

Pollux

[deleted] You have no real way of remembering the user's cookie preferences unless you store it locally in their browser.

Except that I don't use either recaptchas nor cloudflare and we are talking about not registered visitors. Once they register on your site you have a legit reason to remember their settings (in case they want that).