J!Extensions Store™
Faq Cookies are not blocked, what could be the reason?
Cookies are not blocked, what could be the reason?
Created on:Thursday, 03 May 2018 00:00

If you look into the Firefox or Chrome inspector tools, cookies will still be shown, this is normal and can't be prevented removing cookies only on the client side.

The cookies by default are blocked using javascript code after the page is loaded, so a browser console will continue to show them in the cookie tab even if blocked and deleted, but If you check them using the command 'document.cookie' in the browser console, no cookies will be reported. It's common that online services such as Cookiebot, Cookiemetrix, the Ghostery plugin, Cookieserve, etc could still report cookies even if they are blocked client-side claiming that the website is not compliant. Mainly this happens because these services are not able to reproduce a browser behavior and scripts, so this kind of reports is not fully reliable. NEVER use Cookiebot or similar online test tools! As if this was not enough, Cookiebot reports a fake cookie named 'UUID' to every website even if not present.
To verify that cookies are blocked, always rely on the test done in the native browser console using the command 'document.cookie'. As an alternative use the 'Website audit' tool included in the GDPR component that is fully reliable in the same way as the browser itself.


The Joomla session cookie moreover is blocked server-side and client-side, so despite the fact it's still present or displayed in the browser console when a page is reloaded, it's blocked by PHP before its usage and deleted by javascript after the page load. To verify that the Joomla session cookie is correctly blocked, you can try to perform a login and if the cookie is blocked the login must fail, moreover you can try to execute the command 'console.log(document.cookie)' or simply write 'document.cookie' in the browser console and the result must show an empty cookie string "". It's normal that the session cookie still appears in the browser console even if blocked with this technique, just ignore it.
Obviously if you use a cookie audit tool it will continue to see that cookie even if blocked server side. The Joomla session cookie by the way is a strictly technical cookie that would not even need to be blocked to comply with the law.


If you want to enforce the cookie block involving also third-party cookies and blocking all local cookies also server side you can enable the following settings as well. If local cookies are blocked server side, no cookies will be sent by the server so that the browser will no longer report any cookie in the cookie tab.
If you choose to block also third-party cookies, you must manage the list of domains to match all domains used on your website that generate cookies and that you want to be blocked.


gdpr cookie settings

Additionally, always ensure that the block for the local cookies definition is enabled:


gdpr local cookies block

There is a known issue when inspecting the number of cookies using the Google Chrome address bar icon. Indeed it reports a sum of cookies also for subdomains or other domains and when cookies are blocked they are often seen as doubled deleted cookies. As if this was not enough, it does not count only real cookies, but also local storage and session storage variables that does not require to be blocked for the GDPR compliance. Do not use that cookies report to inspect real cookies that are allowed or blocked on your website, always rely on the browser console (F12) and use the 'Application'->'Cookies' tab and the 'document.cookie' instruction in the 'Console' tab. If you use the Chrome address bar icon to inspect cookies you could have the impression that cookies are blocked in reverse mode, as blocked cookies are also listed while they are not listed if not blocked.

If you want to block a resource such as the Google Analytics tracking code that is added by a Joomla! system plugin, pay attention to the ordering of plugins because the execution order of system plugins matters. In order to allow the GDPR system plugin to block that resource, the GDPR plugin must be ordered AFTER the plugin adding that resource.