SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Log in to participate

There is no cost to join RicheyWeb, and membership is a requirement to submit bug reports and participate in the support forums.

× EU e-Privacy Directive needs your help!

A free extension like this survives only by reputation. You can help by submitting a review in the Joomla Extension Directory. Please take the time to make a review by clicking on the link below (opens in a new window)

extensions.joomla.org/write-review/review/add?extension_id=4850

Cookies not removed at one of my ISPs and some other remarks

More
2 years 8 months ago - 2 years 8 months ago #1383 by jakobsrc
Cookies not removed at one of my ISPs and some other remarks was created by jakobsrc
Hi Michael, I appreciate your GDPR extension, well done!!
I encountered a weird issue with it though.
All installs are with version 3.7.3 on a standard virgin Joomla! 3.8.7 with PHP7. No other extensions installed.

1. On one of my online test web sites hosted by a certain ISP, the plg_system_eprivacy cookie is not removed when I withdraw my permission (through the module). Instead the cookie refreshes upon each new page (the expiry time of the cookie is updated each time). Also the session cookie set by Joomla is not removed.
If I remove the eprivacy cookie manually, all the other cookies disappear with the next page refresh (this is the expected behaviour). When allowing cookies, all cookies are placed anew and everything is allright. When withdrawing my permission again, the eprivacy cookie is again not removed and the same story starts all over.
When I implement the same extension v3.7.3 on a standard Joomla 3.8.7 install AT A DIFFERENT HOSTING ISP, the problem is not there and everything works as expected.
Have you got an idea as to what ISP setup/rights/permissions may be different?

Next, I have the following remarks:

2. The logging of cookie permissions is done in the table #__plg_system_eprivacy_log. The IP field of this table only allows for 15 characters and can therefore not hold a complete IPv6 address. I have changed this field to VARCHAR(255).

3. The IPv6 addresses of users allowing cookies are recorded in the table #__plg_system_eprivacy_log without the colons ( : ). I believe this is not right.

4. Your IP retrieval code does not seem to be compatible with IPv6. I am attaching the PHP code that I use for grabbing the visitor's IP address and I am using it as a function in the ajax plugin file eprivacy.php.

Thank you again for your efforts to create this extension and best regards!

Rob Jakobs
The Netherlands
Attachments:
Last edit: 2 years 8 months ago by jakobsrc.

Please Log in or Create an account to join the conversation.

More
2 years 8 months ago #1387 by michael
Replied by michael on topic Cookies not removed at one of my ISPs and some other remarks
1. There is a new configuration requirement for some users. I've found that SOME ISPs run site configurations that don't play nice with e-Privacy. I found this by buying a hosting account with one of these ISPs so I could experience it first-hand. The particular host I knew would replicate this issue only sells hosting accounts on an annual basis - so it was an expensive bug to find.

The configuration to resolve that issue is to set the cookie domain in Joomla global configuration. Simply, make it the same as your canonical domain name. By default, Joomla precedes this with a "." (dot/period), so if you want it to behave like vanilla joomla, you can do that too. If you're running your site on www.example.com - your cookie domain can be any of: . www.example.com (the joomla default), www.example.com (restrictive), or .example.com (super non-restrictive) - If you don't have a particular reason to pick 2 or 3, go with 1.

2. Good call, I'll make that adjustment - but I'll go with a varchar length of 45 which accommodates ipv4, ipv6 and ipv6mapped addresses. It's for logging purposes only, so it should be fine, and backwards compatible.

3. I'll address that with the SQL changes

4. I wrote it in 2012, and IPv6 wasn't such a big deal then. I've written much better IPv6 tools, and I'll apply them.

Thanks for the constructive criticism and praise, I appreciate it! I'll start working on the 3.8.0 version soon, which will incorporate at least one new feature, similar (opposite) to the accepted cookies access level, users who have not accepted cookies will be part of a different access level - allowing you to display alternate modules for users who have not accepted cookies (taunting them to accept)

Please Log in or Create an account to join the conversation.

More
2 years 8 months ago - 2 years 8 months ago #1400 by jakobsrc
Replied by jakobsrc on topic Cookies not removed at one of my ISPs and some other remarks
Wow! Spot on for item 1, i.e. the eprivacy cookie not being deleted when hosted at a certain ISP.
The FF webconsole (storage tab) shows that the cookies are stored at
https://domain.tld
(i.e. not at
https://www.domain.tld
). When I set the cookie domain in Joomla global config to
.domain.tld
it works, when I set it to
.www.domain.tld
it does not work.
Last edit: 2 years 8 months ago by jakobsrc.

Please Log in or Create an account to join the conversation.

More
2 years 8 months ago #1419 by michael
Replied by michael on topic Cookies not removed at one of my ISPs and some other remarks
That issue was the source of much grief for a few weeks while I looked for a way to replicate it!

Please Log in or Create an account to join the conversation.

Forum Access

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Powered by Kunena Forum

Forum Menu