Moodle
  1. Moodle
  2. MDL-28631

forbid use of cookies especially from javascript

    Details

    • Story Points:
      40
    • Rank:
      35

      Description

      Our developers and theme designers keep smuggling in cookies, this is not compatible with $CFG->cookiehttponly and is against some privacy laws.

      Simply stop relying on cookies and if necessary use user preferences.

      Offenders:

      • admin roles UI
      • lib/cookies.js
      • scorm data model
      • repository
      • anomaly theme

      Solution:
      1/ educate integrators and developers - see MDL-17084 for ajax user preferences
      2/ fix the code
      3/ fix dev docs

        Issue Links

          Activity

          Hide
          Petr Škoda added a comment -

          I am marking this as blocker because this has to be resolved before Moodle 2.3

          Show
          Petr Škoda added a comment - I am marking this as blocker because this has to be resolved before Moodle 2.3
          Hide
          Petr Škoda added a comment - - edited

          Adding integrators as watchers, please do not let any new code that uses cookies into the main git repo - the only exception is session cookie and optional permanent login username cookie.

          Show
          Petr Škoda added a comment - - edited Adding integrators as watchers, please do not let any new code that uses cookies into the main git repo - the only exception is session cookie and optional permanent login username cookie.
          Hide
          Petr Škoda added a comment -

          Adding repo folks too, please make sure that at least we do not introduce new cookies in new code.

          Show
          Petr Škoda added a comment - Adding repo folks too, please make sure that at least we do not introduce new cookies in new code.
          Hide
          Dan Poltawski added a comment -
          Show
          Dan Poltawski added a comment - Related discussion: http://moodle.org/mod/forum/discuss.php?d=201558
          Hide
          Gareth J Barnard added a comment -

          I understand the Cookie issue which is why I raised the discussion mentioned by Dan above. I also understand that I do use a Cookie to provide the functionality of remembering the state of the toggles in my course format on a per user per course basis - which is a 'functionality cookie' possibly category 3 under UK Cookie Law - hence I have updated my format to support user acceptance of this. However in the long term I would like to upgrade the format to use AJAX and transmit the state server site without hopefully taking up too much additional network traffic and space in the database - I understand the principles (and have done AJAX in Java server side and jQuery client side) - just need to understand how in PHP. Therefore to support solution point '1' could there be links, demonstrations etc. to help developers learn how to do AJAX in Moodle please? What is the best source of information for this technology?

          Cheers,

          Gareth

          Show
          Gareth J Barnard added a comment - I understand the Cookie issue which is why I raised the discussion mentioned by Dan above. I also understand that I do use a Cookie to provide the functionality of remembering the state of the toggles in my course format on a per user per course basis - which is a 'functionality cookie' possibly category 3 under UK Cookie Law - hence I have updated my format to support user acceptance of this. However in the long term I would like to upgrade the format to use AJAX and transmit the state server site without hopefully taking up too much additional network traffic and space in the database - I understand the principles (and have done AJAX in Java server side and jQuery client side) - just need to understand how in PHP. Therefore to support solution point '1' could there be links, demonstrations etc. to help developers learn how to do AJAX in Moodle please? What is the best source of information for this technology? Cheers, Gareth
          Hide
          Petr Škoda added a comment -

          Thanks, I have updated the description to link the original issue implementing the necessary api for setting of user preferences from Ajax, please grep the codebase for function names if you want to see examples.

          Show
          Petr Škoda added a comment - Thanks, I have updated the description to link the original issue implementing the necessary api for setting of user preferences from Ajax, please grep the codebase for function names if you want to see examples.
          Hide
          Gareth J Barnard added a comment -

          @Petr - Thank you

          Show
          Gareth J Barnard added a comment - @Petr - Thank you

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated: