Is it possible to block cookies from being set using Javascript or PHP?

php javascript cookies blocking
freestate picture freestate · Apr 24, 2012 · Viewed 26.9k times · Source

A lot of you are probably aware of the new EU privacy law, but for those who are not, it basically means no site operated by a company resident in the EU can set cookies classed as 'non-essential to the operation of the website' on a visitors machine unless given express permission to do so.

So, the question becomes how to best deal with this?

Browsers obviously have the ability to block cookies from a specific website built in to them. My question is, is there a way of doing something similar using JS or PHP?

i.e. intercept any cookies that might be trying to be set (including 3rd party cookies like Analytics, or Facebook), and block them unless the user has given consent.

It's obviously possible to delete all cookies once they have been set, but although this amounts to the same thing as not allowing them to be set in the first place, I'm guessing that it's not good enough in this case because it doesn't adhere to the letter of the law.

Ideas?

Answer

Michael picture Michael · May 31, 2012

I'm pretty interested in this answer too. I've accomplished what I need to accomplish in PHP, but the JavaScript component still eludes me.

Here's how I'm doing it in PHP:

$dirty = false;
foreach(headers_list() as $header) {
    if($dirty) continue; // I already know it needs to be cleaned
    if(preg_match('/Set-Cookie/',$header)) $dirty = true;
}
if($dirty) {
    $phpversion = explode('.',phpversion());
    if($phpversion[1] >= 3) {
        header_remove('Set-Cookie'); // php 5.3
    } else {
        header('Set-Cookie:'); // php 5.2
    }        
}

Then I have some additional code that turns this off when the user accepts cookies.

The problem is that there are third party plugins being used in my site that manipulate cookies via javascript and short of scanning through them to determine which ones access document.cookie - they can still set cookies.

It would be convenient if they all used the same framework, so I might be able to override a setCookie function - but they don't.

It would be nice if I could just delete or disable document.cookie so it becomes inaccessible...

EDIT: It is possible to prevent javascript access to get or set cookies.

document.__defineGetter__("cookie", function() { return '';} );
document.__defineSetter__("cookie", function() {} );

EDIT 2: For this to work in IE:

if(!document.__defineGetter__) {
    Object.defineProperty(document, 'cookie', {
        get: function(){return ''},
        set: function(){return true},
    });
} else {
    document.__defineGetter__("cookie", function() { return '';} );
    document.__defineSetter__("cookie", function() {} );
}

Related questions

What are cookies and sessions, and how do they relate to each other?

I am trying to understand cookies and sessions professionally. I know that when a browser connects to a server, the server "asks" the browser to "paste" a cookie with "phpsessid" in the client browser cookies folder. Now that we have …

Read More
How to delete cookie with HttpOnly using PHP or JS

I have a cookie with these parameters: Name: workgroup_session_id Content: "" Domain: agrobman1.tsi.lan Path: / Send for: Any kind of connection Accessible to script: No (HttpOnly) Created: Wednesday, November 4, 2015 at 9:31:58 AM Expires: When the browsing session ends I …

Read More
Set cookie on multiple domains with PHP or JavaScript

I have 3 domains that are themed the same. If somebody chooses a different theme, I want it to propagate across all 3 domains so their experience stays the same. I was planning to accomplish this by setting a cookie on domain1, …

Read More