Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
How to stop the anonymous users getting a cookie set even before they have given their consent.
Do we clone the includes/session.inc with a modified version? Is there anything detailing how this has already been solved elsewhere, Pressflow maybe?
Comments
Comment #1
gregglesThis isn't happening on my site, so maybe it's something site/module specific?
The only cookie that anonymous are getting on my site are the has_js cookie, so I thought I should expand the scope of this issue to include that.
I agree that a patch to core (or replacement file, either way) might be the only way to achieve this.
Comment #2
buddaI get the anonymous user session when submitting a form, such as the user login form with bad username & password values.
I'm testing on a Drupal 7 basic install.
http://drupal.org/project/no_anon is also a possible solution for anonymous user session cookies being set. Although it's Drupal 6 only at present.
The has_js cookie is exempt from any privacy restrictions as it is needed for functioning of the site and carries no identifiable tracking of a user.
Comment #3
gregglesAh, gotcha.
Would a solution be to disable forms (maybe with javascript) until the user has clicked "I am happy with this" ?
If the solution requires a php-based solution then I wonder how well it could work with Drupal's page caching and/or behind varnish.
Comment #4
buddaAt the moment i stop users logging in via a replacement validation callback on the form. Disabling the form could be a solution - disabling all forms unless the cookie consent has been given.
Comment #5
pjcdawkins CreditAttribution: pjcdawkins commentedRegarding forms, it strikes me that if you're planning to disable a feature of the site until consent has been given, then you don't understand the law (which allows for any cookies that are necessary for the site to function).
On my site with Cookie Control enabled, anonymous users do get a session cookie before any forms have loaded, which seems unnecessary. But then again, a session cookie will be necessary if they do end up using a form (and the site does have forms) so it seems like it's not such a problem.
Comment #6
buddaA visitor needs to give consent to the site to store data about them specifically. A user logging in has a session linked specifically to them.
If they have not given consent then they should not be allowed to log in as that's effectively ignoring the visitors refusal to allow cookie use.
Comment #7
buddaLogin form restriction done via cookiecontrol_form_user_login_block_alter()