NYCPHP Meetup

NYPHP.org

[joomla] question about cookies in joomla

Gary Mort garyamort at gmail.com
Thu Sep 15 13:43:16 EDT 2011 

Joomla sets a session cookie.    The session cookie stores a unique 
string on your workstation which is then used to track you as a 
"visitor" to the site.  Properly behaving components will generally 
store any other data associated with your session in the session 
variable[though this does not work for all use cases, for example 
shopping carts may need to keep their own cookie set for your shopping cart]

You can use an extension like 
https://chrome.google.com/webstore/detail/kbnfbcpkiaganjpcanopcgeoehkleeck?hc=search&hcp=main 
<https://chrome.google.com/webstore/detail/kbnfbcpkiaganjpcanopcgeoehkleeck?hc=search&hcp=main>
to view the active cookies.

The session cookie name is an MD5 hash of logged in username, ip 
address, and some other info.  So it is practically meaningless.  As is 
it's value.  For example, on one website right now my session cookie 
value is:f5fc5356924c8ed30c9bca2ac70761bf and the name is equally 
meaningless.

In addition to the session cookie, if you have set the "remember me" 
flag there is also a remember me cookie saved with an encrypted version 
of your username and password.

Lastly, it's extremely difficult to disable these cookies...  though of 
course it can be done, for example:
http://www.commerce.gov/
Is a Drupal site which does not set a session cookie.

The session cookie is needed for user logon[or some really alternate 
method of logon has to be used] - but for anonymous users it can be done.

On the downside, it's not done yet, as evidenced by:
http://forum.joomla.org/viewtopic.php?p=2613084

My general understanding is that when they say disclose, they don't mean 
you have to specify the cookie names, you simply must specify what 
cookies are set, what they are for, and how long they last.  Something like:
http://www.nist.gov/public_affairs/privacy.cfm

On 9/15/2011 12:51 PM, Laura Gordon wrote:
> Hi all,
>
> Question for you, I have been told that all government sites need to 
> disclose all cookies that are on their website, here is my question...
>
> How can you 'disclose this', with the number of different components 
> and how they all work?
>
> so where are the cookies in:
> joomla
> docman
> rsforms
> sobi2
>
> Anyone else on a government site, and were able to overcome this 
> requirement, and how?
>
> thanks,
> Laura
>
> -- 
> I have a new email address: rytech123 at gmail.com 
> <mailto:rytech123 at gmail.com>
>
> Member of www.JoomlaNYC.org <http://www.JoomlaNYC.org>
> Trainer for www.JoomlaTraining.com <http://www.JoomlaTraining.com>
> Sponsor for www.JoomlaDayNYC.com <http://www.JoomlaDayNYC.com>
>
> Come to JoomlaDayNYC.com - 2011 - October 22 & October 23
>
> www.RytechSites.com <http://www.RytechSites.com>
> Dynamic Websites for your company!
>
>
>
>
>
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20110915/a2851481/attachment.html>

More information about the Joomla mailing list