Open webian opened 1 year ago
webian
commented
1 year ago Debugging EXT:cookieman/Resources/Public/Js/js.cookie.min.js it sets document.cookie with a string like:
CookieConsent=mandatory|marketing; path=/; expires=Sun, 31 Dec 2023 10:40:13 GMT; sameSite=lax
that should be right (https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie)
But in Chrome dev tools it shows the expire of the cookie only 2023-01-07T10:44:08.773Z
webian
commented
1 year ago And it looks like it depends on this: https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/ "Client-Side Cookies Capped to 7 Days of Storage"
Brave browser, which I'm using, has implemented this. Probably Safari too.
I tested it with Edge and Chrome and the cookie expires correctly after 1 year.
Maybe a solution could be to set again the cookie in PHP after it has been set in JS?
webian
commented
1 year ago Another reference: https://github.com/js-cookie/js-cookie/issues/579
jonaseberle
commented
1 year ago Thanks for bringing that up. I am unclear about that.
( As for the reference I don't trust Apple motivation much in regards to data protection. Their take on the Do-Not-Track header shows that they are fabricating reasons to make a non-legally-binding tool irrelevant (this one is more to blame on the legislation than on the companies not implementing it IMHO). )
Going the HttpOnly (PHP) way might be possible but would be an architecture change.
Maybe we could improve our "1st party signals" towards browsers by setting { secure: true } when applicable. Also { sameSite: 'strict' }.
We could also go localStorage which does not expire and is strictly 1st party by design... I guess that would be OK even for privacy-oriented browsers?
Bug Report
Prerequisites
Description
CookieConsent cookie expires only after 1 week instead of the default 365 days.
Steps to Reproduce