I’ve been using Youtube embeds in enhanced privacy mode by
chang[ing] the domain for the embed URL in your HTML from https://www.youtube.com to https://www.youtube-nocookie.com
I remember checking via DevTools (Application/Storage tab) that no cookie was actually set.
A customer just notified me that they did find cookies set by the domain
.youtube-nocookie.com — weirdly, something about "consent pending", which does not change when I click play, as other sources state.
They have also alerted me to some shenanigans in Local Storage, namely an item with the key
yt-remote-device-id, which has a UUID and an expiration date 10 years in the future.
I have always suspected that Enhanced Privacy Mode is somewhat of a exaggeration, but this seems to defeat the purpose almost entirely. And it makes youtube-nocookie practically useless w.r.t. a less painful GDPR-compliant user experience.
Is this a recent change? Is there any documentation or changelog on that?
First-timer over here!
Domain for the buggered website (you’ll see what I mean!) http://www.clarkephotographic.co.uk/
URL I am using to try to login to WordPress backend to fix the issue http://www.clarkephotographic.co.uk/wp-login.php
So, when I enter my username, password and then proceed to login, I get the following error message "ERROR: Cookies are blocked due to unexpected output"
The problem I have is that in order to resolve the issue in the first place I would need to login, but as you can see I’m in a bit of a loophole.
Can anyone offer, in as simple terms as possible, any advice on how to get around this, as currently, anyone visiting the site would most likely move onto something that doesn’t look like a piece of $ hit. I’m planning on closing the site down as covid has dried up that little avenue of pleasure. Onto another project that is more pandemic proof!
Many many thanks in advance
I’ve read that if you are storing identifying information like the user’s name or email address in cookies then you have to ask for consent.
I just want to store the user’s country code, like US, CA, etc. Do I need to ask for consent for that?
In my web application, I have a single API backend and two frontends written as single page applications. To simplify deployment, I’d like to serve the API on
/api, the admin dashboard on
/admin, and the end user frontend on
/user (or something similar), all on the same domain.
Background: I’ve been using a simple session cookie design for my web app. I have a
users table, and a
sessions table that basically looks like this:
id | user_id | visited_at -----+---------+----------- int | int | timestamp
And a session cookie contains just a session ID, signed with a secret key. I give the cookie an expiration date (but the source of truth is still the timestamp in the DB), and make sure it’s secure and HTTP-only.
Then I came across these threads:
I think tptacek is basically saying that, instead of storing the signed session ID in the cookie, I can make the
sessions table like this:
id | user_id | visited_at ---------+---------+----------- varchar | int | timestamp
id is a randomly generated 16+ byte key encoded as a string, and simply store this string in the session cookie w/o any encryption/signing.
Is this approach secure? Does it have any downsides due to the lack of a signing phase? (I was thinking w/o signing we can’t invalidate all sessions by changing the server secret, but then I think we can just delete all the session from the DB since we are not doing stateless authentication anyway.)
UPDATE: I think maybe one benefit of the signing approach is that I can save some space in my DB by using an integer primary key. But I’m more interested in the security aspect.
I have installed two browser extensions: Privacy Badger and ScriptSave in order to block unwanted cookies. I knew websites would load cookies but I was still surprised by the number. Unfortunately, the web content is usually not displayed and I am eventually forced to allow all cookies to be loaded at least for a session. I can see there are different groups of them: analytics, cdn, tag managers, but some of them have randonly generated names.
I would guess following cookies are not dangerous:
cdn.cookielow.org cdn.sstatic.net cdnjs.cloudflare.com googletagservices.com google-analytics.com adjax.googleapis.com assets.hearstapps.com (?)
But sometimes cookies with random names are loaded:
dstik9906m659.cloudfront.net d176jfkp3gfyt8.cloudfront.net d1bg94bbsh66ji.cloudfront.net
I read anything with cloudfront.net is from amazon. I couldn’t find anything on the cookies above but I still don’t understand the reason for random characters in names?
I am looking for advice on how to be able to recognise genuine cookies and filter out those potentially dangerous. Is it easily possible? Thanks.
I have cleared all the cookies on my chrome, closed the browse and opened chrome, navigated to chrome://settings/siteData
I see two new cookies of facebook fr and sb created right away. Before visiting facebook how these two cookies got created???
So i new to web application security and have a doubt regarding session cookies. Which is more vulnerable:
- Having same session cookies for a user logging in from different machine/browser
- Having different session cookies for a use logging in from different machine/browser
if possible can you provide a quick scenario how each can be exploited
What if a hacker steals my cookies for example using BeEF or something else. What can they do with this information? Can they get any passwords or something?