European Electronic Communications Framework Compliance

[chrisjg]

@webdongle

...
... now a word from our sponsors...
--- part 2 ---

Also (as pointed out by mandville) this thread is about the impact on non-commercial sites and about the necessity of session cookies. Neither of which is covered in the article you mention.

...

@chrisjg

I am not a sponsor and your pathetic attempt to try and discredit my posts by implying that I am .. is nothing but a childish prank. [mod note: removed attack ] .

End of part one - like in TV shows - followed by adverts (common US segue is to say "Now a word from our sponsors") - then Part 2 begins (part 2 is not "a word from sponsors", it is the next section of the program - or post in this case).
I even placed ellipses before and after the "sponsors" bit, to further emphasise the separation (between part 1 and the "adverts", and between the "adverts" and part 2) - and indicate a "trailing off into silence" at the end of the "adverts" before the program/post begins again.

You obviously failed to understand that, and thought I was attacking you.

I don't do that kind of thing.

I do argue (in the true sense of the word, not in the shouty way), I disagree, I have alternate interpretations and positions on many things, which I express freely. Sometimes I even try to inject some gentle humour (like "end of part one" ... "Part2", and the super-soaker comment at the end of that post) if disagreements or interpretations risk becoming adversarial.

In other posts on this thread I have agreed with some of your comments, and thanked you for your feedback. I did not set-out to discredit you or your opinions on the "cookie law" subject. If you percieved my post as an attack, then I am sorry for offending you.

Perhaps I need to ask the moderator(s) to add a new BBCode for Humour? <-- This is not a serious request!

Hopefully this thread will get back to the important topic that is the "European Electronic Communications Framework Compliance", which is what we are really all here to discuss.

Chris.

[nicholash]

registration required?
important spots before the complaints start

If you have other scripts/components that are dropping cookies (like Google analytics) this plugin will not help there.

If a user has no session cookie, is not posting a request, or is not logged in, then the session is not kept alive beyond the page request. So no cookie is ever generated.

but does it drop a cookie to prevent cookies?

The main use of this plugin is just to try and help you make your site compliant with the European Electronic Communications Framework

Yes, registration is required to download the component. If your having problems registering there might be a bug there.

Joomla will create the session when it starts, will call setcookie to store the cookie at the begging of the script. The plugin runs in onAfterRender it will look to see if the session is needed. If it is not it will call setcookie again with the same name but now a negative time. This will update the cookie value (assuming headers have not been sent) and change the value about the cookie from create to now delete.

The browser will only ever see the delete cookie, so no other cookie is created.

So this should work fine for a clean joomla install.

If people like it and there is more to be done, then I can expand this to be a more complete solution.

If not I can always just drop it and do other work :P

at this point I am not sure if/where it breaks for other people, what else would need to be added to it.

On my site I tested by:
- deleting all the session in the database
- deleting the cookies.
- browsing the site
- checking I had no cookie (if I had any cookies at this point it would be failed, but no cookies)
- logging in to the site (had a cookie at this point)
- browse
- log out (cookie removed)
- browse
- check cookies (no cookies)

For people who do not know what I am talking about, buried on the previous page I wrote a post pointing to a plugin I wrote. Which you can get from http://www.conquerjoomla.com/cjnocookies.html I am reposting the link so it is easy for people to try it.

[Webdongle]

Am I reading this correctly ?

In order to comply with the EU regulations you instead of blocking cookies actually add a cookie.

You then delete the session cookie if the user is not logged in.

But if

As I see it, without the session ID then the transaction between the browser and web-server is open to hijack if an attacker can impersonate a valid session identifier. Without the session ID you would have to rely on the browser header being sent, which may not always be the case.

is correct then it is a step backwards not forwards.

And what about the other cookies ?

[nicholash]

Am I reading this correctly ?

In order to comply with the EU regulations you instead of blocking cookies actually add a cookie.

You then delete the session cookie if the user is not logged in.

But if

As I see it, without the session ID then the transaction between the browser and web-server is open to hijack if an attacker can impersonate a valid session identifier. Without the session ID you would have to rely on the browser header being sent, which may not always be the case.

is correct then it is a step backwards not forwards.

I assume that you are referring to my solution. php calls setcookie, no cookie is ever created on the browser. so I am not creating any cookies at all.

Once there is information that could be hijacked (ie user logs in, submits private information) then the session cookie comes back in to play. So it will go back to doing all the normal security at that point.

And what about the other cookies ?

which other cookies? On a clean install of joomla it is only the session cookie that is created.

[Webdongle]

Once there is information that could be hijacked (ie user logs in, submits private information) then the session cookie comes back in to play. So it will go back to doing all the normal security at that point.

So the session cookie is only placed on the PC if the logs in ?

which other cookies? On a clean install of joomla it is only the session cookie that is created.

But users install extensions and some 3rd party extensions use cookies. The user would need an option to hold those cookies until the visitor agreed to ad them ... yes ? Otherwise the user would be limited on what extensions they use.

This solution is starting to sound more appealing.

[nicholash]

Once there is information that could be hijacked (ie user logs in, submits private information) then the session cookie comes back in to play. So it will go back to doing all the normal security at that point.

So the session cookie is only placed on the PC if the logs in ?

It is when they login or post a request (ie submit a form). At that point the session is most likely critical to the person for the functionality of the site.

If it was an ajax call for a user to add an item to a cart, which would use the session then I am not sure if that would be a post or a get call, most likely a post, which would cover it.

which other cookies? On a clean install of joomla it is only the session cookie that is created.

But users install extensions and some 3rd party extensions use cookies. The user would need an option to hold those cookies until the visitor agreed to ad them ... yes ? Otherwise the user would be limited on what extensions they use.[/quote]

I am not sure I can do a generic solution .. maybe with some more cases, because I do not know how those 3rd party components are using it and if they would be considered essential to the functionality of that component.

I want to do some research this week to understand how people are planning to handle analytics since this is the only 3rd party components that generates cookies.

Also maybe we need to look at IP targeting so if the person is in the states we act as normal.

[Webdongle]

It is when they login or post a request (ie submit a form). At that point the session is most likely critical to the person for the functionality of the site.

If it was an ajax call for a user to add an item to a cart, which would use the session then I am not sure if that would be a post or a get call, most likely a post, which would cover it.

What if it was a get ... without the session cookie would any data be able to be fetched from the database ? Does the session cookie prevent unauthorised access to the database and without it the database be vulnerable to hackers ?

I want to do some research this week to understand how people are planning to handle analytics since this is the only 3rd party components that generates cookies.

Nominet drop Google analytics cookies on the PC without consent. They claim they are essential non 3rd party cookies

There are several extensions that use cookies .... language cookies, font resizing cookies to name but a few.

[abernyte]

This looks awfully interesting when combined with KookieGrab http://extensions.joomla.org/search?q=kookie-grab. You chaps might be on a winner here. Let the testing begin.....

[Webdongle]

My main concern with no session cookie is security.

Joomla 'sanitises' database requests to prevent SQL injection. My question is if there is no session cookie (or it's mechanism is disabled) will that prevent the 'sanitising' ? Thus allowing SQL injection.

[abernyte]

Perhaps a passing Dev would care to give a view on the technical implications of running with the session cookie disabled in this way.
Helloooo ....anyone at home?

[nicholash]

With this plugin, the session is still created at the start of loading the page and destroyed at the end of processing the page. It is just not passed to the user.

Security wise it basically the same as if the user viewed a page, cleaned there cookie, looked at another page cleaned there cookies, etc.

**** Where security is less ****

There is one bit that is less ... not with sql injections it is in submitting forms.

When a person visits a form joomla creates a unique hash that is placed in the session, so when some one submits that form it validates against that session. I need to bypass that because the user will have no session. Since sites could have a module sign up form, or just having any form would mean you would need to put the cookie there.

This security mechanism does not stop bots at all (well old ones maybe), all it does is it means that they have to visit a page first, get the session cookie, then submit the form information with that cookie.

So I do not believe the security is any less what so ever.

[Webdongle]

I don't know enough about the session cookie to know if what you say is accurate, But if it is then that is interesting. will you be putting it in JED as a Tool ?

[nicholash]

I don't know enough about the session cookie to know if what you say is accurate, But if it is then that is interesting. will you be putting it in JED as a Tool ?

I plan to, would like some other people to have tested it first and make sure it is all working nice for them.

[Webdongle]

I'll test for free if it is going in JED as non-commercial

[nicholash]

I'll test for free if it is going in JED as non-commercial

It will require registration, but will be free

[abernyte]

I am also using at the moment for testing and it seems to behave it's self so far.

[Webdongle]

@nicholash

Been testing it on localhost for a while and appears to work OK with no conflicts so far. Will test on a live site soon.

[abernyte]

I too am letting it loose on an unsuspecting world shortly. Watch this space for howls of anguish...or not.

[zeno]

This could be an interesting solution from Silktide.

Cookie Consent is a JavaScript plugin that we created for websites to comply with the cookie law. You can install this on your site easily with just a few lines of code. Users will be shown a message which drops down from the top of the screen asking them if they want to allow cookies.

http://silktide.com/cookieconsent

An issue is that it isn't a joomla extension or a Wordpress plugin and that may put a lot of less experienced users off, but it could be very useful.

Anyone tried it?

[abernyte]

@zeno
This product brings us back to the old problem, in that it only works if the user doesn't block JavaScript as it offers no alternative if you do.
The site its self is in breach of the EU Regs as it drops the session cookie without consent:

Code: Select all

http://silktide.com/cookieconsent
1 cookie
Name	PHPSESSID
Value	2ed340d3726471f614c01da255f489fe
Host	silktide.com
Path	/
Secure	No
Expires	At End Of Session

Which is a bit of an own goal!
Which is also why we are cautiously optimistic of the extension offered above.

[Webdongle]

IMHO the plugin by nicholash looks like what users will need if session cookies need to be prevented until "Informed consent" is obtained to put any cookie on the visiting computer.

[Xpresso]

Anyone tried this solution?

http://cookiesdirective.com/

This is a right headache!

[abernyte]

@Xpresso
Yeah I noticed it. Apart from being enormously fugly it also relies upon JavaScript being enabled in the browser.
This is also another site that offers a product to comply with the legislation and yet blantantly ignores it itself.

Code: Select all

Google Adsense
http://pagead2.googlesyndication.com/pagead/show_ads.js
more infoTwitter Button
http://platform.twitter.com/widgets.js

Dropped on arrival.
No wonder we are faced with this headache when non compliance with legislation that has been around since 2009 is the order of the day.

From all that I have looked at, KookieGrab http://www.weblinksonline.co.uk/downloa ... -grab.html used in conjuction with cjnocookies ( link is a few posts up from this one) is the best combo to halt all 3rd party AND the session cookie so far.
It will get me into compliance (and out of a deep hole, thank you Joomla) until something better hoves into view.

[Xpresso]

and this is another one i've found

http://www.civicuk.com/cookie-law/index

There is a joomla plugin apparently under construction

[abernyte]

@nicholash
Your plugin is now on a couple of low traffic production sites and nothing is breaking and no complaints of stuff not working. I give this a cautious thumbs up and a big THANK YOU. You might want to take it to the JED soon if other tests have a similar result.

[Xpresso]

I've also tried @nicholash plugin on a couple of sites and everything seems to work fine with it. I now have a couple of sites running the previously mentioned plugin and the civic solution.

[abernyte]

There seems an awful lot of base64 encode stuff in that Civic code. Do you have any idea what it is?

[Xpresso]

No, i've no idea. You're in Scotland aren't you?, they are based in Edinburgh, you could always ask. Any reply i got from them was pretty quick

[abernyte]

Good ploy! Watch this space. I deploy nothing with hidden code.

[abernyte]

Well that was a quick response:

The base64 code is the icons required by Cookie Control. They are encoded to make the script faster.
Hope that explains it.

So instead of linking to an external image file or declaring a background image in CSS they seem to be embedding the image with a data URI.
I suppose it makes for a faster page load but I am not too clued up on this.