| Session cookies are often encrypted by frameworks using a server side secret. This allows storing data such as the CRSF token value to check against the one in the hidden form element or X-CSRF-Token without inserting in a DB every time someone loads up a form. That's how e.g Rails does it by default: https://guides.rubyonrails.org/security.html#cross-site-requ... https://api.rubyonrails.org/classes/ActionController/Request... Note that to prevent session fixation, the session ought to be reset on a successful login (and logout), so it would require additional code to perform tracking across a successful login. https://guides.rubyonrails.org/security.html#session-fixatio... Session cookies are also used for Rails flash messages, commonly used to display errors in forms (including login forms), which often do HTTP redirects to GET routes in their non-GET controller actions. https://api.rubyonrails.org/classes/ActionDispatch/Flash.htm... https://api.rubyonrails.org/classes/ActionDispatch/Flash/Req... https://stackoverflow.com/questions/24877244/rails-is-the-fl... The underlying subtext is that these session cookies can be a necessity of securing the provided service, and thus can fall under valid "strictly necessary" usage, as long as they are not abused for tracking (by default nothing in the session cookie is stored nor logged anywhere) |