ModX site that doesn't use cookies?

Hello,

I’m working on a small website for a non-profit that provides services to victims of domestic violence and sexual abuse. The client has requested that the site not leave any cookies on visitor’s computer. It’s not just identifying info they’re worried about. For example, they don’t want a prying batterer to be able to figure out their victim has been seeking help online.

I don’t need Quickedit functionality, or any other bells and whistles on the frontend that might require a session. I am using wayfinder, and cached content. Is there anyway to make ModX NOT send a cookie to a visitor’s browser?

I’ve dredged the wiki, forums and google generally, and I’m coming up empty-handed! Has anyone accomplished this?

Thanks!

Hmm. Interesting question. I was under the (mis)impression that MODx only used cookies to track Manager sessions. So that would mean that the public viewing the site would not have any cookies set; only users who login to the Manager would. However I see now that if I delete all my cookies for a particular MODx site and then just view the public website, it is in fact setting at least one cookie (which expires when the session ends, so it would be deleted upon closing the browser).

I don’t know of any reason why a MODx would need to set a cookie for public users, but I suppose it could be related to the old visitor stats system or something like that. I’m seeing this session cookie (with a unique serial number) even when Log Stats is turned off, however. Anyone else know why this is being set and if it still serves any useful purpose?

I’ll see if I can find where this is set in the MODx parser so you can disable it. Hopefully no one will chime in that it’s essential in some way that I can’t fathom. Also keep in mind that if you use services like Google Analytics that they may also set cookies that would identify the site that was visited.

OK I think I may have figured it out. I found that the main index.php file (in the root of the site) sets these session cookies, and there is also some code that specifies that PHP sessions should be saved as cookies (instead of part of the query string), which I think would also be a good idea to change. I’ve just made these changes on a test installation and I didn’t immediately see any issues (Manager use is unaffected, and the cookies are no longer set).

Try making these changes also and see how it works for you. Both are in the main index.php file. The first is at or around line 59; the changed code should read:

All I’ve done here is to reverse the 0 and 1 in these two configs. I’m not really sure that this is necessary, but I figure it’s better to be safe than sorry in these circumstances.

The second change is just commenting out the following line at around line 108:

All I did here is to comment out the startCMSSession function so that it does not run. This is the function that sets these temporary session vars. It’s located in manager/includes/config.inc.php if you’re curious about it.

I don’t think that these session vars should be necessary if you’re not doing anything like allowing web users to login from the front end, etc., but I’ve never investigated this before tonight so maybe someone who’s worked with this code more can verify this. I wouldn’t think that it’s necessary, and it seems to work fine when I try it out. Manager login and use should be unaffected.

Let us know if this helps you or if you have any problems.

Wow, Zap,

I can’t tell you how much you’ve made my weekend!

I had tried the first change, thinking all by itself that would do it, but it didn’t seem to effect things. Then I was trying to eliminated the startCMSSession function’s functionality all together, which of course was rendering the backend inoperable. I had given up on the problem as impossible to solve!

I’ll just make one note: on my ModX install the second change (commenting out the call to startCMSSession) didn’t register (meaning, the site kept leaving a session cookie) until I went into the backend and cleared the site cache. Works like a charm now!

Thanks so much for your time. My sanity (AND client relationship) remain intact, thanks to you!

Though you might be able to get that to work, MODx itself will not work properly without session cookies, nor will any add-on that uses session data. The alternative in PHP, using session id’s in the query string is not recommended for any purpose in any case, as it is extremely vulnerable to session fixation attacks. This is really a PHP issue, not MODx.

But session cookies store nothing personal on the persons computer, and are used only for the purposes of maintaining your identity when browsing that site. IMHO, if you are afraid of session cookies, you probably ought to go back to pen and paper, and make sure not to use your own handwriting.

And the real issue is making sure these people know how to clear their browser history anyway; the session cookies are removed automatically when the browser is closed, unless you use the checkboxes to make the cookie last longer.

Quote from: mangus76 at Oct 06, 2007, 04:21 PM

I can’t tell you how much you’ve made my weekend!

Glad to hear it - keep up the good work!

Quote from: mangus76 at Oct 06, 2007, 04:21 PM

I’ll just make one note: on my ModX install the second change (commenting out the call to startCMSSession) didn’t register (meaning, the site kept leaving a session cookie) until I went into the backend and cleared the site cache. Works like a charm now!

I forgot that might be necessary, so it’s a good thing that you knew to do that.

Quote from: OpenGeek at Oct 06, 2007, 04:28 PM

Though you might be able to get that to work, MODx itself will not work properly without session cookies, nor will any add-on that uses session data. The alternative in PHP, using session id’s in the query string is not recommended for any purpose in any case, as it is extremely vulnerable to session fixation attacks. This is really a PHP issue, not MODx.

It doesn’t sound as if they’re going to be using any add-ons like this, though. If all they want is an anonymous front-end and they understand that they’re basically giving up on using sessions, then this seems like as good a solution as any to me. Since these changes are only made in index.php, the back-end should still work as usual (and if they decide later that they really do need sessions in the front end, it wouldn’t be hard to write a quick mod_rewrite that sets a var in the query string that turns them on when requested via URL).

Quote from: OpenGeek at Oct 06, 2007, 04:28 PM

But session cookies store nothing personal on the persons computer, and are used only for the purposes of maintaining your identity when browsing that site. IMHO, if you are afraid of session cookies, you probably ought to go back to pen and paper, and make sure not to use your own handwriting.

Right, and in nearly all cases the session var would be destroyed when the person closes their browser. But this is a situation where paranoia is absolutely warranted. If an abuser were to come home while the browser were still open and look at the person’s cookies, they would see one set to www.domesticabusehotline.org (or whatever), and that would not be a good thing. Sounds unlikely, I know, but my mother has worked in domestic abuse projects for decades now, and you would not believe the stories I could tell you...

So I totally agree that for nearly all circumstances a cookie-based temporary session var is appropriate and often necessary, but in this specific circumstance I can see why they’d want to be 1000% sure that no cookie is set.

Of course, you should probably also explain to people how to clear the site from their history and cache files, since those are much more likely to give a person away than a temporary session cookie...

I was gonna say, unless the [computer] literacy rate for wife-beaters is going up, the browser history is of much more concern. I know very few of my clients who even know what session cookies are, let alone how to find them.

Quote from: mangus76 at Oct 05, 2007, 10:33 PM

I’m working on a small website for a non-profit that provides services to victims of domestic violence and sexual abuse. The client has requested that the site not leave any cookies on visitor’s computer. It’s not just identifying info they’re worried about. For example, they don’t want a prying batterer to be able to figure out their victim has been seeking help online.

I think what your client needs to know is that leaving cookies behind is only one element amongst several that make it possible to trace online activities. If a guy knows how to check cookies, aren’t chances very high he might also know how to check the browser history and the browser cache?

So for safety reasons, your client had to educate the visitors how to erase all traces. Doing that in a situation that is emotionally so charged as these things usually are when someone is reaching out for help might simply be too overwhelming. I wonder how many people here know how to delete selectively all traces of a single domain they were visiting. I don’t. And if your client is worried what might happen when the batterer finds a cookie, what does she think happens when he finds a deleted browser history? And if they are assuming he is so suspicious that he is checking those things and controlling her that much, what about the chances he installed already a keylogger?

IMO, avoiding cookies is adding nothing to the security level here. And as Jason mentioned, the cookies are removed automatically when the browser is closed. So the real issue would be all the other traces.

Quote from: OpenGeek at Oct 06, 2007, 04:47 PM

I was gonna say, unless the [computer] literacy rate for wife-beaters is going up, the browser history is of much more concern.

As a side note and a bit off topic, wife beaters can actually be found in all social classes.

Quote from: nightsignals at Oct 06, 2007, 05:12 PM

As a side note and a bit off topic, wife beaters can actually be found in all social classes.

Yeah, fair enough -- I retract that statement; my girlfriend straightened me out on this one, too. I guess I just like to think that someone with ill-intentions, especially towards women, is not that intelligent with computers so I don’t feel associated with their ’type’ or their tendencies toward extinction.
:-[
Damn wife-beaters, giving every social class a bad rap...