Support

Hi Jip,

Unfortunately this is not possible for technical reasons. Joomla! creates a cookie and writes a database record in order to initiate a session. The session is prerequisite for the proper functionality of tokens. Tokens are a prerequisite for protecting forms against cross-site request forgery (CSRF) and brqute forcing. This protection is a prerequisite for having safe login forms. So, implementing that would be equivalent to dropping your pants and bending over to hackers. Not my idea of fun!

BTW, there is an offical opinion from Great Britain judicial authorities which interpretes the EU legislation quite differently than what we assumed. As long as you're informing your users that you are using cookies the responsibility for the acceptance of cookies lies with the user, not the site's owner. Hence our banner on the top of the page.

This is required for all forms. Besides, even if you don't have a login page it doesn't mean that Joomla! doesn't have one which can be accessed dirctly if you know the URL (yeap, that's the truth for all CMS out there). Disabling cookies, sessions and tokens would make our sites vulnerable to CSRF and brute forcing of passwords.

Regarding the EU law, it's the same across Europe. The wording is sufficiently vague to allow the interpretation I mentioned above. Otherwise the entire continent will be forced to switch to static sites, as any dynamic site will no longer be able to work in a safe manner.

FWIW I consider this EU law utter bollocks. The rationale behind it is beyond all logic. If they want to protect EU citizens they should do the same with cars. Before turning on your car there should be a pre-recorded message saying "Driving a car is potentially dangerous and can lead to serious injury or death. If you agree with this please honk twice". Or before you enter the bathtub there should be a large banner "Slipping in the bathtub is one of the most common reasons for deaths inside the house. If you would like to take the risk turn the tap to the right, otherwise stay filthy". The same should hold true for kitchens, refrigerators, food packaging, elevators, even glasses of water. Of course that would be absurd; people are not idiots, so why treat them like bloody morons? Which is exactly what they are doing with the cookie law. Stupid lawmakers. If things continue like that, everyone will move his business to the US in a matter of three years.

That's the whole point. If you "disable" cookies what you're actually doing is this: even though the site sends you a cookie, you don't store it and don't pass it back to the site during the next request. As a result the site creates a brand new session on your next request. A brand new session uses a brand new token. But that's not the real functionality of the token. Here are two scenarios.

A. Without a token. The attacker writes a script which only submits a form and examines the site's response. Since no token is used, all form submissions go through. The attacker can run hundreds of attacks to the same site at the same time as he only needs a very low-bandwidth, low-latency POST request.

B. With a token. The attacker has to first GET a page which displays a login form and store the cookie. He has to parse the HTML and extract the token. The he can POST the form with the token and the cookie and read the response. In this case the attacker is heavily slowed down. Before each attack he has to read and parse the page. The more attacks he runs in parallel, the slower ALL of his attacks get. In fact the slowdown is exponential, not linear. That is to say that running 50 attacks at the same time will be dozens of times slower than running 10 attacks at the same time.

Let's assume a simple 4-digit password (e.g. 1234) is being used. The average number of tries required to crack it is 5,000. Obviously, in scenario B the attack will take dozens of times more time than scenario A. Therefore tokens make brute force attacks impractical and that's why we need cookies.

The only alternative to cookies is riding our time machine and going back to 2002 when we had PHP put the PHP session ID in the URL, leading to uncanny and insecure URLs. Insecure! If you gave that URL to your friend he might be able to "steal" your session unless the script was doing IP checks, which were pointless because of IPv4 and NAT and so on. There's a reason why everyone started using cookies, for crying out loud! So, the EU is basically trying to take us a DECADE into the past, where copying a URL could lead to security issues. And all that in the era of Facebook and Twitter when sharing URLs is just too common. On the grounds of "protecting privacy". EU: where reason comes to die.

Having a privacy policy is OK for implied consent to your own site's cookies. I've also detailed the use of third party cookies on my own privacy policy. I am not sure if the Analytics cookies fall under the non-invasive cookies provisioning of the law. I assume that since the user is given instructions in the Privacy Policy to visit Google and opt-out from the cookies they are OK. But I am not a lawyer and you may have to ask one :)