J!Extensions Store™
Faq Cookies are not blocked, what could be the reason?
Cookies are not blocked, what could be the reason?
Created on:Thursday, 03 May 2018 00:00

If you look into the Firefox or Chrome inspector tools, cookies will still be shown, this is normal and can't be prevented removing cookies only on the client side.

The cookies by default are blocked using javascript code after the page is loaded, so a browser console will continue to show them in the cookie tab even if blocked and deleted, but If you check them using the command 'document.cookie' in the browser console, no cookies will be reported. It's common that online services such as Cookiebot, the Ghostery plugin, Cookieserve, etc could still report cookies even if they are blocked client-side claiming that the website is not compliant. Mainly this happens because these services are not able to reproduce a browser behavior and scripts, so this kind of reports is not fully reliable. NEVER use Cookiebot or similar online test tools! As if this was not enough, Cookiebot reports a fake cookie named 'UUID' to every website even if not present.
To verify that cookies are blocked, always rely on the test done in the native browser console using the command 'document.cookie'. As an alternative use the 'Website audit' tool included in the GDPR component that is fully reliable in the same way as the browser itself.

The Joomla session cookie moreover is blocked server-side and client-side, so despite the fact it's still present and randomly displayed in the browser console when a page is reloaded, it's blocked by PHP before its usage and deleted by javascript after the page load. To verify that the Joomla session cookie is correctly blocked, you can try to perform a login and if the cookie is blocked the login must fail, moreover you can try to execute the command 'console.log(document.cookie)' or simply write 'document.cookie' in the browser console and the result must show an empty cookie string "". It's normal that the session cookie still appears in the browser console even if blocked with this technique, just ignore it.
Obviously if you use a cookie audit tool it will continue to see that cookie even if blocked server side. The Joomla session cookie by the way is a strictly technical cookie that would not even need to be blocked.

If you want to enforce the cookie block involving even third-party cookies and blocking all local cookies even server side you can enable the following settings as well. If local cookies are blocked server side, no cookies will be sent by the server so that the browser will no longer report any cookie in the cookie tab.
If you choose to block even third-party cookies, you must manage the list of domains to match all domains used on your website that generate cookies and that you want to be blocked.

gdpr cookie settings

There is a known issue when inspecting the number of cookies using the Google Chrome URL bar icon. Indeed it reports a sum of cookies even for subdomains or other domains and when cookies are blocked they are often seen as doubled empty cookies. As if this was not enough, it does not count only real cookies, but even local storage and session storage variables that does not require to be blocked for the GDPR compliance. Do not use that cookies report to inspect real cookies that are allowed or blocked on your website, always rely on the browser console (F12) and use the 'Application'->'Cookies' tab and the 'document.cookie' instruction in the 'Console' tab.

If you want to block a resource such as the Google Analytics tracking code that is added by a Joomla! system plugin, pay attention to the ordering of plugins because the execution order of system plugins matters. In order to allow the GDPR system plugin to block that resource, the GDPR plugin must be ordered AFTER the plugin adding that resource.