Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#7044] - Usage of cookies in plugin language filter

?
avatar andrepereiradasilva
andrepereiradasilva
26 May 2015

Issue

The language filter plugin uses cookies to save the user selected language. Two things to consider:
1. In an HTTPS only site shouldn't the language cookie be Secure and HTTP only?
2. What if the website admin doesn't want to use the language cookie, for instance, because of caching servers, since HTTP pages with cookies (especilly with hashes) can be very hard to configure in caching servers. How can the language cookie be disabled and only be used browser language/site default language to check the user language?

How to test

On a multilanguage website with language filter plugin enabled and check the cookies generated. There will be two cookies (the session cookie and the user language cookie)
1. If in an HTTPS site, the language cookie is not secure and HTTP only, like the session cookie is.
2. There is no way to disable the language cookie (only can set the cookie for session or year) in the language filter plugin.

System information (as much as possible)

Nginx 1.9.1
PHP 5.6.8
Joomla 3.4.1

avatar andrepereiradasilva andrepereiradasilva - open - 26 May 2015
avatar infograf768
infograf768 - comment - 27 May 2015

Adding a parameter to not create/use the cookie is easy.
I would not know how to make the language cookie secure on an HTTPS site.

avatar Bakual
Bakual - comment - 27 May 2015

Making the cookie secure should be as easy as setting the secure flag in our API when creating it.

avatar zero-24 zero-24 - change - 27 May 2015
The description was changed
Labels Added: ?
avatar Bakual
Bakual - comment - 27 May 2015

php setcookie has an option for that:

Our own API has that as well. See https://github.com/joomla/joomla-cms/blob/staging/libraries/vendor/joomla/input/src/Cookie.php#L84.

I wonder if it's needed however. Especially on sites with mixed content you could get the issue that you browse the site in german and when you switch to the SSL content you get back to the english (or whatever) one because the cookie would be a different one.
The cookie doesn't contain any sensible data at all, so it's not like it has to be secure for that reason.

avatar andrepereiradasilva
andrepereiradasilva - comment - 27 May 2015

@Bakual in my humble opinion if a site admin makes the option to put all the site in HTTPS, reggarding the information is sensible or not, the cookies should respect that.

avatar zero-24 zero-24 - change - 27 May 2015
Category Multilanguage
avatar smz
smz - comment - 29 May 2015

@bakual I think I can fix this in #7055, in the new setLanguageCookie()... What do you think?

avatar Bakual
Bakual - comment - 29 May 2015

@smz Let me merge the other one first. Then you can improve the setLanguageCookie method with this.

avatar smz
smz - comment - 29 May 2015

#7061 should fix this...

avatar zero-24
zero-24 - comment - 29 May 2015

Closing as we have a PR by @smz Thanks :smile:

avatar zero-24 zero-24 - change - 29 May 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-05-29 16:42:54
Closed_By zero-24
avatar zero-24 zero-24 - close - 29 May 2015

Add a Comment

Login with GitHub to post a comment