Tracking a user with a cookie is an essential part of delivering a secure and immersive user experience—however, some users, especially those who are new to the site, find tracking concerning. This is especially true for a landing page attached to an advertisement campaign. Through A-B testing I have noticed 8% decline in conversions when Cookie Consent alert is shown. Thus it is in our interest to not need to show a GDPR Cookie Consent alert for the user at least on landing pages.

Limiting Sessions

You can easily skip sessions using the request.session_options configuration. In a base controller (ex: ApplicationController and in my case Marketing::LandingPagesController, which has all of the landing pages under the www subdomain), you can do something similar to:

# app/controllers/marketing/landing_pages_controller.rb

after_action :skip_session

def skip_session
  request.session_options[:skip] = !(user_signed_in? || devise_controller?)
end

This assumes you are using Devise, which I didn't. If the helper methods have changed name let me know.

Downfalls

The main downfall of this approach is that the authenticity token used for CSRF (Cross-Site Request Forgery) uses sessions/cookies for their function. If you have a form submission, you will end up with an ActionController::InvalidAuthenticityToken error.

Although not ideal, you will have to skip the authenticity-token verification to handle this error.

# app/controllers/marketing/landing_pages_controller.rb

skip_before_action :verify_authenticity_token

I once implemented a less-than-ideal workaround. When the user focuses on a form, I will open a cookies consent modal. Once approved, I will refresh the page with:

• Authenticity token enabled
• Google reCaptcha enabled (which relies on cookies)
• Focus on the particular form element the user focussed on