Cookies and sessions in GOV.UK frontend apps
GOV.UK frontend applications, with the exception of Licensing, do not currently require cookies.
This means any features in frontend application relying on sessions/cookies will not work.
By default Rails enforces CSRF protection by adding a hidden
to forms. This is verified by Rails on the subsequent POST. In order to
authenticity_token, Rails needs to set and access a session cookie.
Because we strip cookies, verfying the CSRF
authenticity_token causes an error
and displays a Rails based “The change you wanted was rejected” error.
If your front end application does not need CSRF protection, you can disable it on a per application basis or per method basis. A per method basis is preferred because it exposes the smallest unit of risk from a security perspective. To disable CSRF protection, you can add an exception to your controller:
protect_from_forgery except: [:a_method_or_two]
Enabling cookies and sessions
This is as yet untested on new applications - it looks like this is what Licensing is doing, so replicating the setup should work for your application. The Email Team will be testing this early 2018.
documentation notes that you should set your
private if you want to ensure Fastly does not cache the resource (not that
no-store apparently are not respected by Fastly). You will
also need to update the Varnish configuration to allow cookies for your application for both inbound and outbound requests.