Session cookie (_wdtk_cookie_session) behaviour is strange

[laurentS]

Hello,

The cookie _wdtk_cookie_session is set when a user logs in, or when they dismiss an announcement banner.

If there is no banner, or if is it not dismissed, then it is possible to navigate the site with no cookie being set at all.

However, if I log in, then log out, the session cookie remains. Given that it's a session cookie, I would have expected it to be removed entirely.

The second behaviour I do not understand is that the value of that cookie changes on each page load, is this expected? Is there some changing information stored in it?

(we are doing a bit of GDPR compliance work, in case you wonder why I'm looking into this :wink: )

[garethrees]

This isn't something we've looked at for a long time, so your investigation is probably going to be as good as mine!

However, if I log in, then log out, the session cookie remains. Given that it's a session cookie, I would have expected it to be removed entirely.

Looks like we only clear the data on log out. Not sure on the history of this off-hand https://github.com/mysociety/alaveteli/blob/0.42.0.0/app/controllers/application_controller.rb#L158-L170

The second behaviour I do not understand is that the value of that cookie changes on each page load, is this expected? Is there some changing information stored in it?

I've had a quick scan and can't see anything obvious – could be something Rails is doing under the hood.

[garethrees]

I would have expected it to be removed entirely.

We do have https://github.com/mysociety/alaveteli/blob/0.42.0.0/lib/strip_empty_sessions.rb – so perhaps that's stopped working with more recent updates (or it's not actually empty as per the second point).

[laurentS]

Thanks for your feedback Gareth. I'll take a closer look if the lawyer asks me to do so.