Once again the evo-cookie and the EU.

brezel

I need either a statement that the evo-cookie is technically necessary, then a mention and description in the privacy policy is sufficient, or a possibility of consent must be created before the cookie is set.
In EVO's Issues (Github), they have not taken a clear position. They say the evo-cookie is not technically mandatory, but refer in other places that without the cookie there may be security flaws. What should I believe now.
Can the cookie be dispensed with in the frontend: yes or no. If yes, how can I disable the cookie for the frontend only? If no, how can I justify in simple words the necessity of the cookie.

fourroses666

I don't think it would be possible to disable front-end only. The /manager looks in the cookie jar for cookies.
Why its set while not being logged in I don't know. Maybe localstorage is an option. I'm not really into this stuff..

risingisland

I think it is looking for quick-manager, but I could be wrong.

brezel

I tried something once. On Github it was described how to prevent the session from starting. But then the login no longer works.
But you could do it a little differently:
In the core/bootstrap.php the session is started like this:

 if ((! is_cli() && session_status() === PHP_SESSION_NONE) && (!defined('NO_SESSION'))) {
    startCMSSession(); // start session
}

If you additionally couple this to the manager, it looks like this:

if ((! is_cli() && session_status() === PHP_SESSION_NONE) && (!defined('NO_SESSION') && strpos($_SERVER["REQUEST_URI"],"manager")!==false )) {
    startCMSSession(); // start session
}

Now you can use the site without evocookie. When you login to the backend, the evocookie is set.
But I don't know if it is problematic to bind the evocookie to the presence of "manager" in the $_SERVER["REQUEST_URI"].
I also hope it's not a problem safety-wise.
Perhaps someone who is more familiar with EVO security can chime in. I am currently only running this in a test environment.

MattiN

brezel

I tested your modification of the bootstrap.php.
I couldn't find any restrictions in the frontend.
Everything seems to be working correctly in the manager too.

Via ccm19.de I had a scan made before and after the change.
Before the modification, the evocookie was recognized as an unnecessary cookie. After the modification, the scan delivers a positive result: No unauthorized cookies.

It looks like the EVO site can actually be loaded in compliance with GDPR.

I will probably keep this for now and see whether it continues to run without problems in the manager.

Thanks for the lines of code

risingisland

Is there a similar solution for v1.4.x ?

brezel

I did a little search and found start of the session in v1.4.x.
In the 1.4.x it gives file manager/includes/preload.functions.inc.php . There is a line with
old:
session_start();
new:
if(strpos($_SERVER["REQUEST_URI"],"manager")!==false) session_start();
But be careful. I am not a real programmer. I don't know, if this solution is safe. But it seems to work.

MattiN

brezel

I have now also tested the second option with a version 1.4.15.
Also here before the modification, the evocookie was recognized as an unnecessary cookie.
After the modification, the scan delivers a positive result: No unauthorized cookies.

It looks like this EVO Version site can actually be loaded in compliance with GDPR.

So far, I have not been able to find any restrictions here either in the frontend or in the manager.

Also a big thank you for this code! :-)

MattiN

Unfortunately, I have now found a malfunction in the manager! (EVO 3.1.6)
SimpleGallery no longer works if the modified version of bootstrap.php is used.

I found a piece of info from Dimi 3yy. Is a $ SESSION cookie and also technically necessary. I have now added this to the CookieConsent solution as technically necessary.

brezel

Thanks for the work. Too bad it doesn't work that way. I have also noticed problems with the FormLister.
Does anyone else have any other ideas?

fourroses666

In EVO CE 3.1.29 you can now unset the session cookie EVO adds by default.

Add a file in /core/custom/define.php

<?php
define('NO_SESSION', true);

https://community.evocms.ru/blog/news/novyj-reliz-evolution-ce-3.1.28-i-ego-osobennosti.html

xpon1

Graffx Design
Any solution for v1.4.x ?
Thanks!!!

fourroses666

xpon1
Sorry I don't use that EVO anymore.