We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

ModX site that doesn't use cookies?

    • 18137
    • 3 Posts
    mangus76 Reply #11, 16 years, 7 months ago
    So I totally agree that for nearly all circumstances a cookie-based temporary session var is appropriate and often necessary, but in this specific circumstance I can see why they’d want to be 1000% sure that no cookie is set.

    Zap has it on the money here. And the rest of the conversation already got to what I might have said. All the research shows that abuse takes place across classes. And the security improvement from not using cookies is marginal at best. In the end it just comes down to statistics, and the want to minimize the amount of info left on the machine (in this case, if the browser isn’t closed completely after use). Certainly, the bigger threats are history and cache.

    The strategy there is to educate the user, and to begin with the admonition to use a friend’s computer, or one at a library, to avoid abuser surveillance. Most of the more well-funded abuse hotline sites I’ve looked at have pretty elaborate information on this front. www.safehorizon.org is a good example. It has elaborate browser-specific instructions for covering your tracks, and always starts by saying the best defense is to just not use a computer at home. This info is important though, as noted above, because people won’t think of until it is too late: they’re already on the site and they’ve already populated their cookies/cache/history with revealing info.

    Thanks again everyone for the discussion and help. I’ll be sure to amend this thread with a link to the site when it goes live, for ModX community posterity.

      • 33372
      • 1,611 Posts
      ZAP Reply #12, 16 years, 7 months ago
      I’m sure that folks here in the MODx community would be glad to help you to fine-tune your history/cache deletion instructions and otherwise help out in any way we can. We do that for everyone, but in your case I bet a lot of folks would make a special effort. Good luck on your project!
        "Things are not what they appear to be; nor are they otherwise." - Buddha

        "Well, gee, Buddha - that wasn't very helpful..." - ZAP

        Useful MODx links: documentation | wiki | forum guidelines | bugs & requests | info you should include with your post | commercial support options
        • 44375
        • 92 Posts
        technicaltitch Reply #13, 10 years, 9 months ago
        I am trying to make a sitemap.xml generator. The page is produced perfectly when I visit in my browser with cookies, but it seems Google's indexer doesn't do cookies, so when Google requests sitemap.xml it goes into an infinite 302 redirect. (The same thing happens when I disable cookies in my browser.) I'm using MODx 0.9.6.

        Do I have to edit index.php do you think? Will it suffice to leave the PHP settings as they are, but put:
        if (!$_SERVER['REQUEST_URI'] == "/sitemap.xml") {
    startCMSSession();
}
          • 44375
          • 92 Posts
          technicaltitch Reply #14, 10 years, 9 months ago
          Solved it, (in a very horrible way). Turns out someone had already cannibalized my index.php, but the solution for others who don't have this issue is, I think, to hack about with index.php. I found my initial solution didn't work in some contexts so I've edited this post.

          In my index.php, the cannibalization started with a session_start() and a load of awful code. I surrounded it with:
          if ($_SERVER['REQUEST_URI'] !== "/sitemap.xml") {
    session_start();
    // BIG MESS OF CODE FUDGING SESSION AND REQUEST VARIABLES - after which I added:
}

          Later on there is:
          	@ini_set('session.use_trans_sid', 0);
	@ini_set('session.use_only_cookies',1);

          I replaced that with:
          if ($_SERVER['REQUEST_URI'] !== "/sitemap.xml") 
{
	@ini_set('session.use_trans_sid', 0);
	@ini_set('session.use_only_cookies',1);
}
else
{
	@ini_set('session.use_trans_sid', 1);
	@ini_set('session.use_only_cookies',0);
}

          Later on there is:
          // start session 
startCMSSession();

          Which became:
          if ($_SERVER['REQUEST_URI'] !== "/sitemap.xml") 
{
	// start session 
	startCMSSession();
}

          I am not sure if session_start() is part of the default index.php or not - as I say my index.php was cannibalized. Equally, some server configurations mean the return value of REQUEST_URI will be different.

          If you don't know PHP then do NOT do this - there are a few uncertainties that might be different on your server.

          If you do know PHP, take a spare copy of your original index.php beforehand anyway, I resorted to mine many times when the site went down. Save it somewhere safe, close the file so you don't edit it accidentally, lose this at your peril.

          ENORMOUS thanks to the people on this post without which I'd be tearing my hair out, I know some of you are still on these forums 5 years on. [ed. note: technicaltitch last edited this post 10 years, 9 months ago.]