search

joomla / joomla-websites

This repository is for reporting issues with the joomla.org websites only. Please report issues with the Joomla CMS at https://github.com/joomla/joomla-cms/issues/new
45 stars 48 forks source link

[joomla.org] Clarify Necessary Cookies With Additional Qualifiers #1421

Closed mbabker closed 3 years ago

mbabker commented 4 years ago

Not every subdomain is a CMS install, and not every subdomain uses sessions.

api, help, and framework have no session cookies

docs and forum are not CMS software and will presumably have a different naming convention for the session cookie

issues has a session cookie named "PHPSESSID"

And the CMS session cookie should clearly indicate it is a random name, if the session cookie were persistently named "b7341489b33778906012d5d525781744" for every CMS installation worldwide that would be a pretty huge security issue

jeckodevelopment commented 4 years ago

Thanks @mbabker I didn't find any session cookie visiting api.joomla.org nor docs.joomla.org If you spot anything, please let me know.

I updated the table, can you please check if it works now?

mbabker commented 4 years ago

Looks better. It still implies though that all of the Joomla sites have essential cookies. Since you are listing cookies on a per-site basis, it should be made clear though that there are sites that have zero essential cookies.

(Also, while I'm commenting on things, instead of listing every single subdomain separately in the opening, copy the wording from the privacy policy which has a statement that ensures it covers the three domains owned by Joomla/OSM and any subdomains because nobody is going to keep that list up-to-date)

conconnl commented 4 years ago

@mbabker Thanks... I replaced the list with the same information as the privacy policy.

Cookie per-site basis: Is it correct to say "*.joomla.org sites using the Joomla CMS"? So, basically all sites without the CMS do not use this session cookie.

mbabker commented 4 years ago

That won’t work because only the administrative team really understands what software is running on each site, that type of statement doesn’t work with the general public.

On Mon, May 25, 2020 at 7:36 AM Wilco Alsemgeest notifications@github.com wrote:

@mbabker https://github.com/mbabker Thanks... I replaced the list with the same information as the privacy policy.

Cookie per-site basis: Is it correct to say "*.joomla.org sites using the Joomla CMS"? So, basically all sites without the CMS do not use this session cookie.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/joomla/joomla-websites/issues/1421#issuecomment-633551119, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACZ7ILCKGT6KMYERRV3F3DRTJQ4VANCNFSM4MXHOJMQ .

--

  • Michael Please pardon any errors, this message was sent from my iPhone.
mbabker commented 4 years ago

Also, there are sessions (and most likely session cookies) in non-Joomla CMS platforms (Mediawiki for the docs site and phpBB for the forum), so it would be wrong to say that those sites don’t have some form of session identifier somewhere.

On Mon, May 25, 2020 at 7:36 AM Wilco Alsemgeest notifications@github.com wrote:

@mbabker https://github.com/mbabker Thanks... I replaced the list with the same information as the privacy policy.

Cookie per-site basis: Is it correct to say "*.joomla.org sites using the Joomla CMS"? So, basically all sites without the CMS do not use this session cookie.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/joomla/joomla-websites/issues/1421#issuecomment-633551119, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACZ7ILCKGT6KMYERRV3F3DRTJQ4VANCNFSM4MXHOJMQ .

--

  • Michael Please pardon any errors, this message was sent from my iPhone.
conconnl commented 4 years ago

Do you have any suggestion, how the Compliance team could mention it correctly in your opinion?

mbabker commented 4 years ago

The same table structure where the cookie names are explicitly listed alongside the explicit subdomains that they are used on that is used for the other tables. There is no way to issue a generic statement here that does not use “insider terminology”.

conconnl commented 4 years ago

👍 I will brows to all website I can and find the session cookie to add them to the essential cookies list.

conconnl commented 4 years ago

Note: I only opened the websites, I did not click anything within the site.

No Session Cookies

Joomla session cookies

Other shop.joomla.org redirects too 'https://community.joomla.org/the-joomla-shop.html#!/' Which wraps another website. It has multiple cookies for session lifetime, Joomla, s_cc, p_url, direct_affiliate, PPP, PP, AMCVS_68044180541804760A4C98A5%40AdobeOrg

appsserver.joomla.org No session cookies but appsserver.joomla.org/live/ has Joomla session cookies

issues.joomla.org PHPSESSID session cookie

forum.joomla.org The following cookies are just for the session, can't judge if there are session cookies or other purposes. @ooffick can you shine your light on this?

ct_timezone, ct_ps_timestamp, ct_pointer_data, ct_fkp_timestamp, ct_checkjs, phpbb3_cnuw4_ct_sfw_pass_key, phpbb3_cnuw4_ct_cookies_test, phpbb3_cnuw4_ct_prev_referer, phpbb3_cnuw4_k, phpbb3_cnuw4_sid, phpbb3_cnuw4_u

mbabker commented 4 years ago

Pop update1 off the list. That’s the internal identifier for the update subdomain, it doesn’t need to be explicitly listed here.

Having appsserver (actually it should be appscdn as that’s the production URL, appsserver is the non-CDN access) on the list is somewhat interesting. It’s the Install From Web system, so in regular use the session cookie makes no difference because the API is stateless, but thanks to be written on Joomla it has the basic requirement of having a session (I still think it would be a good idea to rewrite that system from a CMS component to a Framework application in the same way the help screen system was changed, it reduces some of the normal Joomla operating overhead and solves the session problem).

Pop shop off the list. It isn’t an actual subdomain, it’s cookies should be listed as part of the community subdomain (if necessary add something explaining that only a certain section of the site gets these extras). Same goes for training (it’s not on your list but there are still occasional references to it as a separate subdomain).

Check with Tom on the docs wiki. Maybe it only starts a session if you’re authenticated, but it seems a little weird that a site that has an authentication mechanism has no session related cookies at all.

On Thu, Jun 4, 2020 at 7:19 AM Wilco Alsemgeest notifications@github.com wrote:

Note: I only opened the websites, I did click anything within the site.

No Session Cookies

  • api.joomja.org
  • help.joomla.org
  • framework.joomla.org
  • update1.joomla.org
  • update.joomla.org
  • docs.joomla.org

Joomla session cookies

  • www.joomla.org
  • downloads.joomla.org
  • vel.joomla.org
  • tm.joomla.org
  • resources.joomla.org
  • conference.joomla.org
  • magazine.joomla.org
  • community.joomla.org
  • certification.joomla.org
  • exam.joomla.org
  • volunteers.joomla.org
  • showcase.joomla.org
  • foundation.joomla.org
  • templates.joomla.org
  • extensions.joomla.org
  • identity.joomla.org
  • opensourcematters.org

Other shop.joomla.org http://shop.joomla.org redirects too ' https://community.joomla.org/the-joomla-shop.html#!/' Which wraps another website. It has multiple cookies for session lifetime, Joomla, s_cc, p_url, direct_affiliate, PPP, PP, AMCVS_68044180541804760A4C98A5%40AdobeOrg

appsserver.joomla.org http://appsserver.joomla.org No session cookies but appsserver.joomla.org/live/ http://appsserver.joomla.org/live/ has Joomla session cookies

issues.joomla.org http://issues.joomla.org PHPSESSID session cookie

forum.joomla.org http://forum.joomla.org The following cookies are just for the session, can't judge if there are session cookies or other purposes. @ooffick https://github.com/ooffick can you shine your light on this?

ct_timezone, ct_ps_timestamp, ct_pointer_data, ct_fkp_timestamp, ct_checkjs, phpbb3_cnuw4_ct_sfw_pass_key, phpbb3_cnuw4_ct_cookies_test, phpbb3_cnuw4_ct_prev_referer, phpbb3_cnuw4_k, phpbb3_cnuw4_sid, phpbb3_cnuw4_u

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/joomla/joomla-websites/issues/1421#issuecomment-638812410, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACZ7IIRWTITJKOIBJ7WBYTRU6GOHANCNFSM4MXHOJMQ .

--

  • Michael Please pardon any errors, this message was sent from my iPhone.
ooffick commented 4 years ago

phpbb3_cnuw4_u is the userid or 1 for guest phpbb3_cnuw4_k is a session key for 'remember me' feature phpbb3_cnuw4_sid is a session id

The ct_... and ...ct... Cookies are all CleanTalk cookies

conconnl commented 4 years ago

@joomla/privacy-compliance-team please don't forget to process this to finalize the cookie policy

conconnl commented 3 years ago

@dkalnenaite can you please let the team finalize the Cookie Policy https://www.joomla.org/cookie-policy.html

conconnl commented 3 years ago

Closing for lack of response