winter_session cookie purpose? #144

0hra · 2021-05-01T23:10:07Z

0hra
May 1, 2021

I'm having a hard time figuring out what the purpose of the winter_session cookie is?

I want to disable it for frontend visitors if it's not essential to the core functionality of winterCMS. How can I do that exactly?

If it's not possible to disable without breaking stuff, I need to be able to describe its purpose in my privacy policy.

Answered by LukeTowers

May 2, 2021

@rwhol This cookie is used to maintain the user's session data, see https://wintercms.com/docs/services/session. It's important for a number of reasons (persisting logins across page requests, preventing CSRF attacks through the CSRF hidden input value attached to the session, flash messages, redirecting users to the correct page after logging in, and anything else that your site needs to persist about a user between individual requests. If you absolutely want to disable it, you can do so by setting the driver option in config/session.php to array; but I wouldn't recommend it as it would break all of the before mentioned use cases. You can also explore the option of dynamically changing t…

View full answer

LukeTowers · 2021-05-02T02:31:14Z

LukeTowers
May 2, 2021
Maintainer

@rwhol This cookie is used to maintain the user's session data, see https://wintercms.com/docs/services/session. It's important for a number of reasons (persisting logins across page requests, preventing CSRF attacks through the CSRF hidden input value attached to the session, flash messages, redirecting users to the correct page after logging in, and anything else that your site needs to persist about a user between individual requests. If you absolutely want to disable it, you can do so by setting the driver option in config/session.php to array; but I wouldn't recommend it as it would break all of the before mentioned use cases. You can also explore the option of dynamically changing that value through Config::set('session.driver', 'array') in custom middleware that you set to only run on the frontend, but I still wouldn't recommend that unless your site is 100% static content and does not accept input from the user in any way.

2 replies

0hra May 2, 2021
Author

@LukeTowers Thanks for the in-depth reply.

There is no user login available in the frontend and I don't use sessions on this website, but the frontend does accept user input through simple search functionality. The user input from the search is processed via the javascript API.

Is the cookie still recommended/necessary in this case?

bennothommo May 2, 2021
Maintainer

@rwhol It would be recommended if you wish to take advantage of CSRF checks or persisting anything - such as previous search queries or even just the last search query. However, if you are handling these yourself, then you won't need the cookie.

Myjestic · 2021-06-08T12:49:47Z

Myjestic
Jun 8, 2021

Hi, does this mean, that if I block my cookies completley, the User Login will not work?

1 reply

bennothommo Jun 8, 2021
Maintainer

Yes, authentication won't work without cookies enabled.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Winter CMS

winter_session cookie purpose? #144

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Winter CMS

winter_session cookie purpose? #144

0hra May 1, 2021

Replies: 2 comments · 3 replies

LukeTowers May 2, 2021 Maintainer

0hra May 2, 2021 Author

bennothommo May 2, 2021 Maintainer

Myjestic Jun 8, 2021

bennothommo Jun 8, 2021 Maintainer

0hra
May 1, 2021

Replies: 2 comments 3 replies

LukeTowers
May 2, 2021
Maintainer

0hra May 2, 2021
Author

bennothommo May 2, 2021
Maintainer

Myjestic
Jun 8, 2021

bennothommo Jun 8, 2021
Maintainer