Disable Cookie creation or session starting for guests

[frakster]

Hello,
Just getting smf rolling after loads of siege testing and hit a bit of a bump.
There's seemingly no way to disable cookies or sessions for guests. eg the cookie is made on load. With cookies off session id's are in the urls.

I've toyed around a bit with removing loadSession(); via the index.php ect. But it would then need to be added in many other places. I'm also unsure of the security implications of such a modification. I'm only testing this locally in a cloned virtual environment.

Ideally a cookie would only be made if the user signed in or clicked the login/register button.

FWIT: I'm not doing this for 'pretty urls' or anything seo related as most of url stuff is moot when canonical are correctly used. And pretty urls are at best minimally helpful anyway.

I'm doing this for nginx fastcgi_cache using $map, so as to send cached data only to non logged in users. The result is 0 db queries and thousands of requests per second on even a tiny server/vps.

Given smf is already fast as hell, but we've seen a few traffic hits that needlessly caused php-fpm to chomp cpu usage sending data to guests. Guests don't deserve php time lol

Server setup:
debian wheezy -would love grsec but this vps company is just so inexpensive.
nginx 1.7 - compiled
php 5.6.5 - compiled, minimal
OPcache -> which is amazing btw
mysql ect. sql temp moved to its own limited tmpfs.
Entire site running out of restricted tmpfs @ read only. avatars on different static only subdomain / ssd.
Caching in separate restricted tmpfs
Sessions in separate restricted tmpfs.
-zoom

Is there any way to remove guest cookies and sessions? via coding or otherwise?
Just wondering if there's any solution to this as creating cookies/sessions for guests seems almost pointless. Tbh I really don't care if they can tell if they've clicked a link or not . ./make emm register for that hah.

Thanks

[margarett]

I don't know of any way to do so. In fact, that would be great for compliance with the UE cookie law...

[frakster]

I don't know of any way to do so. In fact, that would be great for compliance with the UE cookie law...

I agree.

With smf I was able to achieve this in the local testing environment by removing the loadSession(); from the /index.php. I then experimented with adding it to the LogInOut.php / Admin.php "it will need to be added elsewhere as well by the looks of things". I think its possible to make it work like this. However I'm unsure if there's any security concerns in doing so.

I'm fairly sure I can make the above work but I don't want to introduce a new bug or security issue. I would love to know if moving the loadSession is safe.

[Kindred]

there is a security concern...   that's why we ADDED the session variable to the URL in the first place...

[frakster]

there is a security concern...   that's why we ADDED the session variable to the URL in the first place...

Just came across this post by 青山 素子
http://www.simplemachines.org/community/index.php?topic=425349.msg3318761#msg3318761

I manually added the below to the load.php based on the information in the attached patch.

Code Select Expand

global $cookiename;
if(!isset($_COOKIE[$cookiename])) {
return; }


In my test environment it seems to work. Would this also cause a security risk?

[frakster]

So does anyone know if the above solution is still viable and or secure?

[Kindred]

I am not certain, but I would hazard that it is not secure and could allow intercepted or falsified sessions or something along those lines

[frakster]

I am not certain, but I would hazard that it is not secure and could allow intercepted or falsified sessions or something along those lines

Thanks for your reply. I was thinking the same thing. Do you by chance have a testing method? Or if there's a sec team that deals with this type of thing?

I also noticed in the code it seems session urls's aren't created for a few search bots/agents.
Just brainstorming here but if different security methods are in place to deal with said bots I'm wondering if they can be carried over to all user agents. On the flip side if no additional methods are used that would have me a little worried. I won't go into details

Overall disabling cookies/sessions for guests would seem to benefit both server load in having to deal with guest sessions, and users that actually care about that eu cookie law. Personally I don't care about the cookie law, imo it was made by morons for morons. I hope that's not too harsh for this forum but frankly I can think of half a dozen other things in most browsers that are far worse than 1st party/visited cookies in regards to tracking or security. /rambleOff lol.

Beer time

[Kindred]

well, I know for certain that the sessions for guests was done with complete forethought and on purpose...

[feline]

Well ..SMF will works (limited) without any SESSION or COOKIE, but it's many to do that all works as well.
I have implemented that in 2.0 and also in 2.1 Beta for the EU legislation on cookie law.

You can see that our our sites ...

[frakster]

Thanks for your reply.
Mind if I inquire as to what method you used for session removal?

[feline]

Thanks for your reply.
Mind if I inquire as to what method you used for session removal?

Simple not create session and cookies
But .. that is more complexe .. you can try a look in our Portal Software  .. look on https://github.com/PortaMx

[frakster]

I'm not really looking for a portal but thanks.
I only run a custom layout and one mod and the mod may get ditched soon. I'm trying to stay as close to stock as possible, minus sessions