After a user opts out of Cookies, can I remove the cookie? - cookies

I visit the Information Commissioners Office (ICO) https://ico.org.uk/ which is the commissioner who is in charge of things like GDPR and cookies in the UK.
They have the option to opt out of cookies, which I duely did. I then refreshed and I could still see cookies being load for Google Analytics.
A few days later I returned and the cookie must have expired. Were my original findings due to browser cache? And if so, is there a way to force browsers to forget cookies? I would find this more compliant with the users wishes.
I think if a cookie can expire, then perhaps you could set the expiry date to now when a user opts out. Or set the cookie to 1900 or something similar so it expires. Or set it to null if that would make a difference.
Is it possible to remove a cookie instantly when a user opts out, or is that entirely down to the browser settings?

Yes. To force a cookie to expire, return one with your response with a matching path and name, but an expiry time in the past. The browser will consider it expired and delete it.
Pretty much every site using Google Analytics is going to be betraying your wishes (and breaking the law, at least in the EU), since that's what it's default configuration does, and it's very rare than anyone changes it to anything else.

Related

In what way localStorage is better than cookies from the privacy point of view?

If you don't use third-party cookies or they are blocked in browser's settings. And if your cookies have SameSite=Strict attribute. How their behavior differ from localStorage? If your site use localStorage it still can save some user_id in there and identify the user. Actually it even can send this user_id to a third-party!
So what's the difference?
Why these nagging messages on every other site about using cookies? But not about using any other kind of local storage?
And yes, I understand that cookies are sent with every request while with localStorage you need intentionally send the locally saved info. But still, nobody warns that they can identify a user and even leak this info, just that they use cookies. Isn't this just an illusion of privacy and everyone will be better off without this illusion?
localStorage is also known as Web Storage, HTML5 Storage, and DOM Storage (these all mean the same thing).
localStorage is similar to sessionStorage, except that data stored in localStorage has no expiration time, while data stored in sessionStorage gets cleared when the browsing session ends (i.e. when the browser / browser tab is closed). Session storage is used much less often than localStorage, and exists only within the current browser tab - even two tabs loaded with the same website will have different sessionStorage data. sessionStorage data survives page refresh, but not closing/opening the tab. LocalStorage data, on the other hand, is shared between all tabs and windows from the same origin. LocalStorage data does not expire; it remains after the browser is restarted and even after OS reboot.
Both localStorage and sessionCookies work in the same way and can be altered by the user.
Session cookies(if not persistent) are usually removed when you close the browser.
Session cookies are usually used for keeping track of login information, shopping carts etc.
localStorage still persists even though you've closed the browser and does not expire
Final note is, both localStorage and Cookies can be altered by user and hence, provide no security whatsoever.

What happen if Cookie 'Expires/Max-Age' is 'N/A' or not set

I tried to increase the cookie expiry time and activated sliding expiry.
But the cookie expiry is still "N/A"
what problems will it cause, why expiry is not shown. In this case what will happen to cookie. when will it expire.
It means the cookie will expire at the end of the session (when the browser closes, but not always).
When user privacy is a concern, It is important that any web app
implementation will invalidate cookie data after a certain timeout and
won't rely on the browser clearing session cookies.
One of the most beloved features of Firefox prevents session cookies from ever
expiring. The same issue is also occuring with google chrome (and
probably with other browsers offering similar features)

what is cookie length and how can I find what cookie length my site use?

Pay Per Click company asked me what cookie length do we use for our website, but have no idea what this means. I then google it and found to look under google Chrome > Developer tool > Resource > Cookies but there was many other cookies for our site, which one to consider?
PHPSESSID
__unam
__utma
__utmb
__utmc
__utmz
__stid
__uset
A site never has a fixed cookie length. Every single cookie can have a different time and date on which it expires. I'm not sure which one you should consider. That depends on which cookies you are interested in. For example, if you want to know how much longer the PHP session will exist, look what the cookie expire date of PHPSESSID is.

Redirect returning users to specific page

This questions is more conceptual that asking for actual code.
I want to redirect returning anonymous users to a page other than the home page. Is there any other way to do this than to use a cookie? Is a cookie an ok way of accomplishing this? I'm worried about the reliability of cookies, but maybe I'm mistaken in questioning that.
Thanks for any help.
I would say create a session state instead if your worried about cookie reliance.
You can make the session state last a bit longer than default. Keep it as small as possible ie. a simple bool.
As long as the cookies stay on the same domain, they should be considered first-party cookies.
I think it is safe to assume that a significant large majority of browsers only reject 3rd party cookies.
Since security (it is on the client side and subject to attack) and filesize (cookies usually have a maximum size) do not seem to be an issue here, why not?
as you think about a security issue than it is better to use Session for this.
but if you want to use third-party cookie than take care of following points while setting up cookie.
Use persistant cookie (set expire date of cookie).
Create cookie with HttpOny parameter.
if your server using Secure Connection (ie. https) than use
Secure Cookie.

modifying and protecting cookies

I am trying to modify a cookie, specifically the pass_hash cookie that the ipb forums set. I have tried several different extensions for firefox to modify this cookie and set it, adn cannot seem to do so.
The cookie seems to expire as soon as it is created. I am trying to set it to expire one year from now. I can not modify this cookie in any form. Even deleting that cookie, and making a new cookie will not work...possibly since it is being over written.
Why is this the case, and is there any way to force it to stay?
I guess, it depends on the server-side. If you on the client side manipulate the cookie to live 'forever', the server still can delete it. If this ipb forum software has a policy of 'one-way' cookies, that is, deletes every cookie and writes a new one, or resets the expire date on the server side, there is nothing you can do about it.
Cheers,