cookiesflaskflask-login

How to get permission for cookies from user in Flask


I have a website built with Flask and Flask-Login, so I know it generates cookies at some point. But my question is more basic than this.

Does a Flask application always, and immediately, generate cookies?

If no, are there any tools to allow me to identify which part of my application does generate cookies at which point, for example is it possible to monitor Chrome Dev tools when operating the website?

The context for this question is GDPR compliance and specifically trying to request permission at the start (without initially creating a cookie!) and then when the user clicks accept have a process that means that user (anonymous or otherwise) won't see that permission request banner again (until local browser cache clearing)


Solution

  • For what its worth I did this:

    1. Mandate a banner on any page base.html:
        {% if cookies_check() %}
                {# then user has already consented so no requirement for consent banner #}
        {% else %}
                {# show a cookie consent banner #}
                <div id="cookie-consent-container">
                    <button id="cookie-consent">I Consent</button>
                </div>
                <script>
                    var fn = function () {
                        document.cookie = "cookie_consent=true";
                        document.getElementById('cookie-consent-container').hidden = true;
                    };
                    document.getElementById('cookie-consent').onclick = fn;
                </script>
        {% endif %}
    
    1. Inject the function into jinja2 to check the cookies:
        @app.context_processor
        def inject_template_scope():
            injections = dict()
            
            def cookies_check():
                value = request.cookies.get('cookie_consent')
                return value == 'true'
            injections.update(cookies_check=cookies_check)
        
            return injections
    

    I also used the dev console to detect existing cookies by exploring document.cookies. It seemed the only cookies initially generated were Google Analytics.