Cookies: request for clarification in documentation

[Kifsif]

The app uses cookies. Cookies are not cached.

For example, we have a perfectly static page. And we use django_infopush. If I'm not mistaken, two cookies are set: push_hash and csrftoken.

Could you clarify in the documentation everything about cookies. This is very important for many reasons main of which are:

1. Legal ones. A cookie is a tracking means connected with the personality of a user according to law of many countries.
2. Caching by means of Varnish, nginx etc.

Could you stipulate:

1. Which cookies does this app really uses (the name of each cookie and what is it necessary for).
2. To what third parties are these cookies been sent if they are. And for what purpose.
3. Recommendations on caching. Cookies are not cached. And they defeat cache. If these cookies are for third parties only, please announce that at the server we can easily cut them off for caching purpose (by Varnish or something ). If the cookies are for the the application, please give us some recommendations about how to cache pages. I mean that if caching by Varnish, nginx or the like is executed, not every request goes to Django at all. So, it would be really better to understand when the cookie is really necessary and when we can just discard it and return the cached page without touching Django at all.

[kilgoretrout1985]

1) read csrftoken cookie This cookie is set by the Django itself for form csrf protection. In order to save push subscription info (endpoint, keys), UA posts it to the server. And Django view, that writes subscription info to database, checks csrftoken to protect itself from cross site request forgery. https://docs.djangoproject.com/en/3.1/ref/csrf/#ajax

2) read/write push_dnd cookie With django-infopush enabled you will have yourdomain/push/on-off/ url, where any subscriber can opt out from receiving pushes. This url also sets 'push do not disturb' cookie for 1 year, so it will not bother this user with push subscribe window any more. If you wipe this cookie somehow, unsubscribed users will keep receiving 'subscribe to push' browser notification.

3) read/write push_hash cookie This cookie stores hash of a client's push subscription (endpoint, key, auth_secret, timezone), so you can send it to backend only if it's changed. If you wipe this cookie somehow, any client that allowed push on any page load will also do 1 additional ajax post-request to your backend to save push subscription. Everything must be working fine, but this almost doubles requests to backend.