DEV Community

loading...
Cover image for No cookies please: How to stop Laravel setting default cookies

No cookies please: How to stop Laravel setting default cookies

stef686 profile image Stefan Ashwell Originally published at codingwithstef.com ・3 min read

This post includes affiliate links; I may receive compensation if you purchase products or services from links provided in this article.

We've all seen them a million times and they annoy us way more than they solve a problem.

Cookie consent banners have become so common these days that half the time I just click the button to get rid of them without a second thought.

When I started my website I set out with a clear set of goals in mind - simple, quick and informative. One thing that doesn't fit in with those ideals is a horrible cookie banner. So I looked for a solution.

When do you need a cookie banner?

As far as I understand it (and I'm no legal expert!) you need a cookie consent banner when you store information in cookies or via other methods (such as local storage) and they are not required in order for the site to function.

You don't need to have one when you only use cookies in order for the site to function correctly - such as to remember a user is logged in.

So what did I decide?

My site is intentionally simple.

Even though it's built in Laravel, it's essentially a static site.

There's no logins or other bells and whistles.

Therefore I decided there was no reason to store cookies at all - removing the requirement to have a cookie consent banner. Simple.

Stop Laravel setting cookies

Even if you're not using any features that require cookies, by default Laravel sets two - a laravel_session cookie, and an xsrf_token cookie.

I don't need the session cookie because I'm not using sessions for anything on the site.

There are also no forms on the website, so the xsrf token is not required either.

To stop Laravel creating these cookies, first I commented the following lines in app/Http/Kernel.php

'web' => [
    \App\Http\Middleware\EncryptCookies::class,
    \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
    //\Illuminate\Session\Middleware\StartSession::class,
    // \Illuminate\Session\Middleware\AuthenticateSession::class,
    //\Illuminate\View\Middleware\ShareErrorsFromSession::class,
    //\App\Http\Middleware\VerifyCsrfToken::class,
    \Illuminate\Routing\Middleware\SubstituteBindings::class,
],
Enter fullscreen mode Exit fullscreen mode

Then, I set the session driver to array in my .env file:

SESSION_DRIVER=array
Enter fullscreen mode Exit fullscreen mode

As simple as that.

What about stats?

The usual culprit for storing cookies that aren't required for a site to function are those set by a stats service such as Google Analytics.

Obviously I want to see how my site's performing, how visitors find the site, see which posts are popular and what type of content goes down well with visitors.

That shouldn't mean my site has to set intrusive cookies.

And so I looked around for an alternative and found Fathom.

Fathom take privacy very seriously, and their stats service doesn't store any cookies at all. It tracks visitors anonymously so I can see a simple set of stats about my site - visitors, referrals, bounce rate, time on site, country etc.

This means everyone can be happy - no cookie banner, no intrusive cookies. It even respects visitors who have opted out of tracking services.

Thanks for reading, hopefully you found this article useful. If you want to chat about anything in this article or about anything to do with code leave me a comment below or you can find me on Twitter @CodingWithStef.

Discussion (2)

pic
Editor guide
Collapse
nicolus profile image
Nicolas Bailly

I would argue that if you don't need sessions or forms, you probably don't need Laravel to begin with ;-)

Still it's good to know.

Collapse
stef686 profile image
Stefan Ashwell Author

Yes that's true you could say that, however I built the site in Laravel for 2 reasons - 1: it's what I use day-to-day so the quickest way for me to build it, and 2: the foundations are there if I ever wanted to add extra features that require forms or sessions (which, ultimately would require me to review the cookies situation, but the option is there if I ever need it)