How to stop the anonymous users getting a cookie set even before they have given their consent.

Do we clone the includes/session.inc with a modified version? Is there anything detailing how this has already been solved elsewhere, Pressflow maybe?

Comments

greggles’s picture

Title: Anonymous users are getting a session cookie » Anonymous users are (sometimes) getting a session or has_js cookie

This isn't happening on my site, so maybe it's something site/module specific?

The only cookie that anonymous are getting on my site are the has_js cookie, so I thought I should expand the scope of this issue to include that.

I agree that a patch to core (or replacement file, either way) might be the only way to achieve this.

budda’s picture

I get the anonymous user session when submitting a form, such as the user login form with bad username & password values.
I'm testing on a Drupal 7 basic install.

http://drupal.org/project/no_anon is also a possible solution for anonymous user session cookies being set. Although it's Drupal 6 only at present.

The has_js cookie is exempt from any privacy restrictions as it is needed for functioning of the site and carries no identifiable tracking of a user.

greggles’s picture

Title: Anonymous users are (sometimes) getting a session or has_js cookie » Anonymous users are (sometimes) getting a session cookie

Ah, gotcha.

Would a solution be to disable forms (maybe with javascript) until the user has clicked "I am happy with this" ?

If the solution requires a php-based solution then I wonder how well it could work with Drupal's page caching and/or behind varnish.

budda’s picture

At the moment i stop users logging in via a replacement validation callback on the form. Disabling the form could be a solution - disabling all forms unless the cookie consent has been given.

pjcdawkins’s picture

Regarding forms, it strikes me that if you're planning to disable a feature of the site until consent has been given, then you don't understand the law (which allows for any cookies that are necessary for the site to function).

On my site with Cookie Control enabled, anonymous users do get a session cookie before any forms have loaded, which seems unnecessary. But then again, a session cookie will be necessary if they do end up using a form (and the site does have forms) so it seems like it's not such a problem.

budda’s picture

A visitor needs to give consent to the site to store data about them specifically. A user logging in has a session linked specifically to them.
If they have not given consent then they should not be allowed to log in as that's effectively ignoring the visitors refusal to allow cookie use.

budda’s picture

Status: Active » Closed (fixed)

Login form restriction done via cookiecontrol_form_user_login_block_alter()