SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

× EU e-Privacy Directive needs your help!

A free extension like this survives only by reputation. You can help by submitting a review in the Joomla Extension Directory. Please take the time to make a review by clicking on the link below (opens in a new window)

extensions.joomla.org/write-review/review/add?extension_id=4850

block all cookies - still cookie

More
2 months 5 days ago - 2 months 5 days ago #4018 by Tobi
Hello,

some minutes ago I've tried EU e-Privacy Directive.
Now I have a question please.

I chose: Just block all cookies. No option to accept.
But nevertheless Session-Cookie UUID#[abcdef0123456789]{32} was found by scanning this site.

Thank you very much
Tobias
Last edit: 2 months 5 days ago by Tobi. Reason: error

Please Log in or Create an account to join the conversation.

More
2 months 3 days ago #4020 by michael
Can you message me the address of the site, so I can have a look?

Please Log in or Create an account to join the conversation.

More
2 months 2 days ago #4021 by Tobi
Yes, of course
www.kirche-burkhardtsdorf.de

In my attachment you can see a report.

Thank you,
Tobias
Attachments:

Please Log in or Create an account to join the conversation.

More
2 months 2 days ago #4025 by michael
The cookie is being delivered by a plugin ajax request:

www.kirche-burkhardtsdorf.de/index.php?o...pography&format=json

The plugin itself is sending the cookie. You can test this using CURL:

The website homepage
$ curl -I "https://www.kirche-burkhardtsdorf.de/"
HTTP/1.1 200 OK
Date: Tue, 08 Oct 2019 16:15:30 GMT
Server: Apache
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Tue, 08 Oct 2019 16:15:31 GMT
Accept-Ranges: none
Strict-Transport-Security: max-age=31556926
Content-Type: text/html; charset=utf-8

The AJAX request:
$ curl -I "https://www.kirche-burkhardtsdorf.de/index.php?option=com_ajax&plugin=arktypography&format=json"
HTTP/1.1 200 OK
Date: Tue, 08 Oct 2019 16:19:18 GMT
Server: Apache
Cache-Control: public
Expires: Wed, 09 Oct 2019 16:19:18 GMT
Set-Cookie: 6fa6a83bd487999457b4cbbf09a32b7f=d7888759172a750f43d560e20eb258d3; path=/; secure; HttpOnly
Accept-Ranges: none
Strict-Transport-Security: max-age=31556926
Content-Type: text/css;charset=UTF-8

Please Log in or Create an account to join the conversation.

More
2 months 2 days ago #4026 by michael
I downloaded that extension, and looked at the code for the exact problem.

What they've done is bypass the Joomla response, and because of that, my plugin is not given the opportunity to strip the session cookie.

The last functional line of code in this plugin is:
		// Write everything out
		echo $contentCSS;
		exit;

They should have just done:
return $contentCSS;
That would require them to do a little more work in the frontend, but it wouldn't break other extensions. If you can convince ARK to do it the right way, this can be resolved.

Please Log in or Create an account to join the conversation.

More
2 months 1 day ago #4029 by Tobi
thanks for your effort!
now I deactivated this plugin arktypography, but still cookie UUID#[abcdef0123456789]{32} was set ...

Thank you
Tobias

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Powered by Kunena Forum