One time Cookie Notice

[ArchBlood]

Currently when you visit a HumHub instance with cookie notice enabled you have to accept each time you visit the site.

[ArchBlood]

Seems that this issue only happens on the community site;

https://community.humhub.com/dashboard

[luke-]

Hmm, I cannot reproduce this on our community. The notice does not appear again for me.

[ArchBlood]

Latest version of Chrome on Windows 11 it appears every time I visit the community site, but no other HumHub instance have I seen this happen.

It also apparently shows up every time the page is refreshed as well. 🤔

[felixhahnweilheim]

I have the same as @ArchBlood on my phone (Android 13) with Chrome, and (Chrome-based) PWA.

[ArchBlood]

I have the same as @ArchBlood on my phone (Android 13) with Chrome, and (Chrome-based) PWA.

I can confirm that the issue is also happening on Chrome mobile browser as well.

[luke-]

@yurabakhtin Can you please take a look into it?

[yurabakhtin]

@luke- I have the same bug today when I open https://community.humhub.com in Chrome on Windows 11.

I find 2 cookie records:

If manually remove the 2 records then it works as expected, i.e. after first click "Got it!" the cookie block is hidden and doesn't appears again.
I cannot find how the record with domain .humhub.com was created there.
Locally I tried to reproduce the issue by the following steps:

• open the same site from alias.humhub.local and from humhub.local
• after accept cookie on the first site I see a cookie record cookieconsent_status | alias.humhub.local and cookie block is hidden
• after accept cookie on the second site I see a cookie record cookieconsent_status | humhub.local and cookie block is hidden
• the cookie records are visible only on own sites as expected
• If I create a new record with data cookieconsent_status | .humhub.local on any of these sites manually then I see the cookie blocks again and they cannot be hidden by click on the accept button, they can be hidden only after deleting the record .humhub.local.

---

The cookie block is initialized by this JS library https://www.osano.com/cookieconsent/documentation/javascript-api/
I tried to set cookie.domain to humhub.local then cookie record is created for domain .humhub.local and the cookie block is hidden after accept button clicking and doesn't appear after page reloading.
If set cookie.domain to alias.humhub.local then cookie record is created for domain .alias.humhub.local and this solution works only for the site alias.humhub.local.
It would be good the JS library set cookie domain without adding a dot before provided domain name, because I am not sure we can allow accept cookies for all sub sites when it was accepted on root domain.

[ArchBlood]

Can't we just use something like this to set the cookie domain?

// Set the cookie to a specific domain
$cookieDomain = \yii\helpers\Url::base()'; // Replace 'yourdomain.com' with your desired domain
setcookie('cookieconsent_status', 'accepted', time() + 31536000, '/', $cookieDomain, false, true);

Or something like the following?

        // Get the current site's domain
        $currentDomain = Yii::$app->request->hostInfo;

        // Set the cookie using Yii's response component
        $response = Yii::$app->response;
        $response->cookies->add(new \yii\web\Cookie([
            'name' => 'cookieconsent_status',
            'value' => 'accepted',
            'expire' => time() + 31536000,
            'path' => '/',
            'domain' => $currentDomain,
            'httpOnly' => true,
            'secure' => true, // Set to true if your site uses HTTPS
        ]));

We should be able to do this in /widgets/CookieNote.php

[ArchBlood]

Another option would be the following;

<?php

namespace humhub\modules\legal\widgets;

use humhub\components\Widget;
use humhub\modules\legal\models\Page;
use Yii;
use yii\web\HttpException;

/**
 * Class CookieNote
 * @package humhub\modules\legal\widgets
 */
class CookieNote extends Widget
{
    public function run()
    {
        $page = Page::getPage(Page::PAGE_KEY_COOKIE_NOTICE);
        if ($page === null) {
            return "";
        }

        // Get the current site's domain
        $currentDomain = Yii::$app->request->hostInfo;

        // Extract the root domain to cover all subdomains and aliases
        $rootDomain = $this->getRootDomain($currentDomain);

        // Set the cookie using Yii's response component
        $response = Yii::$app->response;
        $response->cookies->add(new \yii\web\Cookie([
            'name' => 'cookieconsent_status',
            'value' => 'accepted',
            'expire' => time() + 31536000,
            'path' => '/',
            'domain' => $rootDomain,
            'httpOnly' => true,
            'secure' => true, // Set to true if your site uses HTTPS
        ]));

        return $this->render('cookies', ['page' => $page]);
    }

    // Function to extract the root domain from a given domain
    private function getRootDomain($domain)
    {
        $domainParts = explode('.', $domain);
        $partsCount = count($domainParts);
        if ($partsCount > 2) {
            // Construct the root domain for subdomains or alias domains
            $rootDomain = $domainParts[$partsCount - 2] . '.' . $domainParts[$partsCount - 1];
            return '.' . $rootDomain;
        }
        return $domain; // Return original domain if it's already a root domain
    }
}

Although I've not tested this specific method.

[yurabakhtin]

@ArchBlood Thank you for the help, but the problem was from JS side.
@luke- Fixed in PR #66:

This fix will hides the cookie consent window on all browsers even if they still have two records for root domain and for the strange records with domain like .domain.com

I have compared the JS method getCookie from here https://github.com/osano/cookieconsent/blob/dev/src/bundle.js#L2739-L2743:

const getCookie = name => {
  const value = ' ' + document.cookie;
  const parts = value.split(' ' + name + '=');
  return parts.length < 2 ? undefined : parts.pop().split(';').shift();
};

and from the humhub file version:

getCookie: function (e) {
    var t = "; " + document.cookie,
        i = t.split("; " + e + "=");
    return 2 != i.length ? void 0 : i.pop().split(";").shift();
},

so the difference was between parts.length < 2 and 2 != i.length

My fix is a manual updating only of the code, because I tried to use new version completely from here https://github.com/osano/cookieconsent/blob/dev/build/cookieconsent.min.js and I updated the initialisation code from window.cookieconsent.initialise({ to new new window.CookieConsent({, but I don't understand why when press to accept I don't find that cookie record is created in my browser, so the cookie consent window appears again and again after page reloading.

[luke-]

@yurabakhtin Thanks.

I'll keep this issue open, because we should find a better solution in future, instead of fixing the minifed version.