Session cookie

Permalink
Hello.

I'm currently testing, on a local clone of the live site, the migration process to C5 8.4.0.
In the changelog, under behavioral improvements, is stated "We now only set sessions when you attempt to login or use custom session code, in order to reduce the number of sites that set cookies for GDPR".
As I understand it, that means the session cookie (CONCRETE5) is no longer set if browsing the site as guest. Am I wrong?

I ask because after updating the local clone from 8.3.2 to 8.4.0, I opened the site (as guest), erased stored cookies, refresh the page and check again for cookies. The CONCRETE5 cookie is there...

I also checked application\config files but there is nothing related there.

What am I supposed to do to prevent cookies being set for ordinary visitors (guests)?

Thanks.

 
cristi78 replied on at Permalink Reply
Anyone?

Thanks.
A3020 replied on at Permalink Reply
A3020
I just tested the behavior using a fresh 840 instance and when opening the home page on Elemental theme, no cookies are set.

This seems to be in line with this commit that's in the 8.4.0. release: https://github.com/concrete5/concrete5/commit/2d925d13fae2ebe4bb9531...

Maybe one of your add-ons or other custom code stores data in a session?
cristi78 replied on at Permalink Reply
Thank you for answering.

I'm using Pixel theme and other few addons but they aren't supposed to set (session) cookies. Don't have any custom codes, only 4 modified block templates (to exclude some HTML tags).
By the way, I use Handyman addon to change some parameters of C5, including the name of the cookie from "CONCRETE5" to "FIRMNAME". But, since cookies are set by the core, I don't think this could be the culprit as I changed the cookie name back to the default one.

I will try to upgrade a local fresh install of C5 8.3.2 (without any addons) to 8.4 to check the behavior. Also, I will try the same but with the Handyman installed before upgrading to 8.4.

Be back later with the results.
A3020 replied on at Permalink Reply 1 Attachment
A3020
My website is also using 8.4.0, see http://a3020.com

I've attached a screenshot that shows no cookies are set.
cristi78 replied on at Permalink Reply
Oh, I'm not denying 8.4 is working correctly :)
I'm just trying to pinpoint the cause for the unexpected behavior of my test instance (8.3.2 upgraded manually to 8.4 by replacing concrete folder). Identifying the cause is critical for the planned update of the live site.

Thanks.
A3020 replied on at Permalink Reply
A3020
I understand. Maybe you'd check the /login page. Does it also set a cookie? Of so, I'd look into add-ons, and e.g. disable a few (temporarily) via the Packages table.

If that's not the case, maybe you'd create a clean page with no blocks on it, and try to access that to test whether cookies are being set?
cristi78 replied on at Permalink Reply
Good idea!!!
Will try.
cristi78 replied on at Permalink Reply 1 Attachment
New installation of C5 8.4 with no content (XAMPP).
I accessed the homepage (https://localhost/test84/) using a fresh GoogleChrome portable.
The CONCRETE5 session cookie is set...

So it seems that the problem it's related to my XAMPP or something.
This is strange...
What in XAMPP can cause this behavior?

I will try again using a fresh XAMPP.

LE: a cookie is created only for the first session. If I delete the cookie and refresh the page there are no more cookies. Anyway, this is not the case with test instance of the live site where a cookie is created every time. I will continue the tests.
cristi78 replied on at Permalink Reply
Fresh 8.4 - only sets a cookie first time when accessed
Fresh 8.3.2 upgraded to 8.4 - only sets a cookie first time when accessed

Clone of live site (8.3.2 upgraded to 8.4), with all the addons removed (except for the Pixel theme) and with all the files in application/config and application\config\generated_overrides cleaned to mimic fresh 8.4 ones - sets a cookie every time is accessed.

Could be something in the database?
cristi78 replied on at Permalink Reply
I finally found the culprit - as soon as I added a second language (locale) to a clean installation, a cookie is set every time I visit the site.
If I remove the 2nd locale, the cookie is no longer set.

As I run a multilingual site (2 languages) this can explain the behavior of my clone.

@A3020, could you please check and see if you can reproduce the problem?

Thanks.
A3020 replied on at Permalink Reply
A3020
I can reproduce this issue. Good find! I reported the problem on Github: https://github.com/concrete5/concrete5/issues/6837...
cristi78 replied on at Permalink Reply
Thank you for the help.
cristi78 replied on at Permalink Reply
I made today a clone of my live 8.4.0 site and manually updated it to 8.4.1 by replacing /concrete folder.

I cleared the cache, unchecked 'Always track user locale' in Dashboard - Multilingual setup and visited the site with a fresh portable Google Chrome.

A session cookie is still getting set...

I will try it also with a new installation of C5 8.4.1 and report back.
cristi78 replied on at Permalink Reply
Tested on a fresh C5 8.4.1
A cookie is still set on a multilingual site, no matter "Always track user locale" is checked or not.
A3020 replied on at Permalink Reply
A3020
I'd recommend opening an issue on Github: https://github.com/concrete5/concrete5/issues/...
cristi78 replied on at Permalink Reply