tags: rails
Originally Published: 2021-08-29

For PodQueue, I wanted to be able to respect users’ privacy by only even setting a first-party cookie when we absolutely had to. As it turns out, this can be a little confusing in Rails, since by default Rails wants to store the session as a first-party cookie on every response. It also uses this session data for things like CSRF protection on form submission, and for storing/displaying flash notifications, so if you want to do either of those things without cookies you’ll probably need to do a little more work.

For my purposes, it was sufficient to disable the session cookie unless you were going to a page with Devise (e.g. to sign up or log in, which will require a non-tracking cookie for CSRF protection) or are already signed in. I was able to accomplish this with the following lambda function in the app’s ApplicationController (app/controllers/application_controller.rb):

after_action lambda {
  cookies.delete(Rails.application.config.session_options[:key]) unless user_signed_in?
  request.session_options[:skip] = !(user_signed_in? || devise_controller?)

Thanks to a suggestion from Goulven Champenois, this also deletes any leftover session cookie for logged-out users, fixing a possible issue with flash messages getting “stuck” displaying with the session cookie after signing out.

You could also easily exempt other controllers as necessary, but this is an excellent way to both respect privacy and not have to display an annoying GDPR cookie notification!