Sandbox

Problem:
Joomla excessively utilizes session cookies for user tracking, hit counting, statistics and more. This can upset cookie-aware users and therefore undermine your credibility, especially if you're running sites promoting data thriftiness (sounds awful in English... "Datensparsamkeit" in German - does anyone know a better translation?  :) )

Following I will describe how to avoid all cookies for normal visitors and still have front end login. (Works with version 1.0.12 - no guaranty for older ones and definitely not for v1.5!)

- First of all: Deactivate site statistics! Global configuration -> Statistics -> Statistics: No
  This will stop the "mosvisitor" cookie.

- Don't use the Template Chooser module, because it uses a cookie named "jos_user_template".

- Be careful with components: Some might start their own PHP session. (And I just don't get why 1 session isn't enough...) Fabrik is such a case.

- Now to the main point:
  Delete / comment out line 697 of /includes/joomla.php like this:

// setcookie( $sessionCookieName, '-', false, '/' );

Because of a set POST/GET parameter named "force_session", a user session will be started anyway in the code further down if someone logs in. This parameter is set in the standard login module. If you use your own login module, just add this parameter!

- Additional: Comment out line 25 in /offline.php: // session_start();
  This seams to be an artifact of old versions. It really doesn't make sense to me, to start a PHP session in this file, particularly because Joomla uses its own session mechanism...

Maybe this information is useful to some other people like me.

It would be interesting to hear from a developer, what lead to the decision to start a session (and therefore set a cookie) on first page call for every user. And additionally, why it is so easy to remove that behavior - or in other words: why is a different behavior implemented almost to the end? All whats missing is a configuration flag...


Have a nice day,

tla.designz

This info is certainly interesting for me.

I am trying to solve a totally opposite problem.

I use Joomla with VirtueMart e-commerce component. Naturally, there is a shopping cart. The cart has a mind of its own, and does not retain any info of the products that are there once the session is terminated.

I would like the cart to "remember" the cart content on return login if the shopper did not complete the checkout process. I assume it depends on the cookie lifespan settings. HOWEVER, I have no idea how to configure Joomla so as to extend this lifespan.

Any help coming from your direction?

TIA -

L

As the name "session cookie" might suggest, a session cookie's lifetime ends with the end of the session. When the browser window containing a web site is closed, every browser deletes associated session cookies.

Especially since Joomla hashes one's IP adress into the cookie, it would be discarded anyway on the next session, because the IP adress of the customer most likely changed until then.

What you try to achive is to save the shopping cart of a user in the database, to be reloaded on next login. You really don't want to store this sensible information in cookies, be it session cookies or any other cookie.

If and how this is possible with the VirtueMart component is probably a question you should ask its developers, but only if you really read every piece of documentation at least twice! 

Have a nice day,

tla.designz

THANKS MUCH for sharing this howto. It helped me a great deal. 

Cheers,

Tobias

You're welcome! 

I've got some more cookie buster news on components:

Fabrik's (version 1.0) cookie can savely be disabled without harming it's functioning.

Disable /components/com_fabrik/fabrik.php, line 17:

// session_start();


Joomfish 1.7 cookie setting can be somewhat cutted back, but this is a bit more tricky.

/mambots/system/jfdatabase.systembot.php 's logic has to be a bit shuffled.

The attached patched file is a quick shot. It just sets a cookie if the user changed the language manually. It has at least two problems:
- The cookie isn't renewed continually.
- As long as no cookie is set, it extends processing time, because the HTTP "Accept Language" Header is evaluated on each page call.

Feel free to improve!

cheers,

tla.designz

sites promoting data thriftiness (sounds awful in English... "Datensparsamkeit" in German - does anyone know a better translation?  Smiley )

I don't have anything to add to the 'crumbling cookies' issue, except my thanks for a nice piece of hacking  , but I thought I might suggest an alternative English translation for "Datensparsamkeit" : how about "Data Parsimony"?  I'm 99.9% sure it means the same thing, and I really like the work parsimony.  It's often used in English-language philosophy in association with the much-vaunted principle of Occam's Razor, which itself is often known as the principle of "Ontological Parsimony".

Thanks again for the hack!

Simon

Hi!

Back again!
Just wanted to drop a line about Joomla 1.0.14: It's still working like described!

I have switched my first site to Joomla 1.5 and investigate the issue further. Any comments on cookie disabling in 1.5 are very welcome!

Cheers,

tla.designz