Last modified: 2008-08-24 02:53:56 UTC
After having worked on a project that required it, there should be a global variable (such as $wgEnableCookies) which defaults to TRUE, but can be toggles to FALSE. If false, cookies are not put on the computer of a visitor and all checkboxes that result in a cookie being written are removed from the UI. This could be accomplished with a simple flag around all code that results in a cookie being places: if ($wgEnableCookies) { //Handle cookies } else { //Handle sessions, no cookies }
Exactly why would you *want* to disable cookies while the client can just deny them? Also, staying logged in relies on cookies: sessions use cookies internally.
> Exactly why would you *want* to disable cookies while the client can just deny > them? Also, staying logged in relies on cookies: sessions use cookies > internally. For my project, it was US Dept of Defense rules. Sessions are OK, but cookies can not be written by a DOD-sponsored website. I'm sure there are other organizations with similar rules, and this wouldn't be *that* difficult to implement.
Uh, and how are sessions supposed to work without cookies? Session IDs in URLs are possible in theory (though not implemented by mediawiki). They are, however, more insecure by far. Look up "session fixation". So, no cookies, no login.
(In reply to comment #3) > Uh, and how are sessions supposed to work without cookies? > > Session IDs in URLs are possible in theory (though not implemented by > mediawiki). They are, however, more insecure by far. Look up "session > fixation". > > So, no cookies, no login. The fix that passed regulations was to: (1) Remove all checkboxes for remembering a user's login (2) Set $wgCookieExpiration = 0 So this new global variable would do both automatically, without the need to change any MW file, except for LocalSettings.php, where you could toggle the variable.
(In reply to comment #4) > The fix that passed regulations was to: > > (1) Remove all checkboxes for remembering a user's login > (2) Set $wgCookieExpiration = 0 > > So this new global variable would do both automatically, without the need to > change any MW file, except for LocalSettings.php, where you could toggle the > variable. > Wouldn't that make your wiki severely defective? If no one can login, there are no privileged users, so either no one can ban people, delete pages, etc. or everyone can. Both are undesirable.
(In reply to comment #5) > (In reply to comment #4) > > The fix that passed regulations was to: > > > > (1) Remove all checkboxes for remembering a user's login > > (2) Set $wgCookieExpiration = 0 > > > > So this new global variable would do both automatically, without the need to > > change any MW file, except for LocalSettings.php, where you could toggle the > > variable. > > > > Wouldn't that make your wiki severely defective? If no one can login, there are > no privileged users, so either no one can ban people, delete pages, etc. or > everyone can. Both are undesirable. > I can log in and use my assigned privileges. Everything works as expected. The only difference is that when I close my browser, I am logged out. There are also no files left on a computer of a visitor.
$wgCookieExpiration = 0; will still set a session cookie. It will just tell the cookie to expire when the browser is closed. But note that this is far from "disabling cookies". So, what EXACTLY does the policy require? Again: cookies are needed to manage sessions. There is no other way to manage sessions (well, technicaly, HTTP-Auth or HTTPS-Auth might be possible, but quite inconvenient for users, and probably impossible to use without logging in). That bein said: An option to disable the "remember me" checkbox would be fine with me. This is the only one I know of that would cause an additional cookie.
(In reply to comment #7) > $wgCookieExpiration = 0; will still set a session cookie. It will just tell the > cookie to expire when the browser is closed. But note that this is far from > "disabling cookies". So, what EXACTLY does the policy require? > > Again: cookies are needed to manage sessions. There is no other way to manage > sessions (well, technicaly, HTTP-Auth or HTTPS-Auth might be possible, but > quite inconvenient for users, and probably impossible to use without logging > in). > > That bein said: An option to disable the "remember me" checkbox would be fine > with me. This is the only one I know of that would cause an additional cookie. I'm not up to speed on the exact regulation, but anything relating to sessions is fine, as long as they are invalid upon a browser close or deleted on a browser close. Since this passed current DOD regulations, it's good enough for me. The only thing that I didn't like to do was modify files other than LocalSettings.php, so a way to avoid that would be nice and this seems to be a good solution.
So the option required would be to disable *persistent* cookies. That sounds reasonable. I'll adjust the request description accordingly.
(In reply to comment #9) > So the option required would be to disable *persistent* cookies. That sounds > reasonable. I'll adjust the request description accordingly. > That sounds better. I'm sorry if my terminology is off. I'm far more used to non-web development, so I'm not yet familiar with these terms and phrases.
Done in r39376
As an update, $wgEnablePersistentCookies was removed. Instead, setting cookie expiry to 0 now disables the setting of any cookies that last beyond the end of the session. All setcookie() calls go through $WebRequest->setCookies() now, so that's a nice clean interface for it.