3

I have built a cookie consent module that is used on many sites, all using the same server architecture, on the same cluster. For the visitors of these sites it is possible to administer their cookie settings (eg. no advertising cookies, but allow analytics cookes) on a central domain that keeps track of the user preferences (and sites that are visited).

When they change their settings, all sites that the visitor has been to that are using my module (kept in cookie) are contacted by loading it with a parameter in hidden iframes. I tried the same with images.

On these sites a rewrite rule is in place that detects that parameter and then retracts the cookie (set the date in the past) and redirects to a page on the module site (or an image on the module site).

This scheme is working in all browsers, except IE, as it needs a P3P (Probably the reason why it is not working for images is similar).

I also tried loading a non-existent image on the source domain (that is, the domain that is using the module) through an image tag, obviously resulting in a 404. This works on all browsers, except Safari, which doesn't set cookies on 404's (at least, that is my conclusion).

My question is, how would it be possible to retract the cookie consent cookie on the connected domains, given that all I can change are the rewrite rules?

I hope that I have explained the problem well enough for you guys to give an answer, and that a solution is possible...

anubhava
  • 761,203
  • 64
  • 569
  • 643
jberculo
  • 1,084
  • 9
  • 27
  • Why don't you load a blank file image instead of a non-existent image? – Jon Nov 20 '13 at 15:44
  • Wouldn't a blank image file hit the same p3p barrier? If not (which I doubt), it means that we should add a file to every domain where the module is installed, which is next to impossible... – jberculo Nov 20 '13 at 20:14
  • possible duplicate of [How to use SetEnv with a URL parameter](http://stackoverflow.com/questions/1280220/how-to-use-setenv-with-a-url-parameter) – Paul Sweatte Nov 25 '13 at 21:59
  • How would that be a duplicate? – jberculo Dec 19 '13 at 09:44

1 Answers1

0

I am still not able to resolve this question, but when looked at it the other way around there is a solution. Using JSONP (for an example, see: Basic example of using .ajax() with JSONP?), the client domain can load information from the master server and compare that to local information.

Based on that, the client site can retract the cookie (or even replace it) and force a reload which will trigger the rewrite rules...

A drawback of this solution is that it will hit the server for every pageview, and in my case, that's a real problem. Only testing that every x minutes or so (by setting a temporary cookie) would provide a solution.

Another, even more simple solution would be to expire all the cookies on the client site every x hour. This will force a revisit of the main domain as well.

Community
  • 1
  • 1
jberculo
  • 1,084
  • 9
  • 27