Cookie audit findings on Blogs.ed

Reading time: 3 minutes

As part of the Blogs.ed service planning, the service team identified a number of third-party plugins, themes and services that we wanted to integrate into the new service. We have collated our own cookie findings for an out-of-the-box WordPress installation, and also detailed how issues with third-party services were mitigated.

Cookies / local storage on our service

Information on cookies set by WordPress seems to be a little fragmented, with the WordPress Codex displaying less detail than the WordPress Cookie Policy page.

WordPress Cookies page on codex.wordpress.org

WordPress Cookie Policy on wordpress.org

The table below displays default WordPress cookies and local storage usage on our service with names, sample data and purpose.

WordPress core and administration areas

Cookie name Example value Persistent? Purpose
wordpress_logged_in_{hash} {username}%{hash}%{hash} Yes (up to two weeks) Set when the user logs in, and who they are.
wordpress_sec_{hash} {username}%{hash}%{hash}%{hash} Yes (up to two weeks) Stores logged-in user authentication details (in WordPress admin).
wordpress_test_cookie WP+Cookie+check No (until session ends) Tests if the device can receive cookies.
wp-settings-{int} editor%3Dtinymce%26hidetb%3D0 Yes (up to one year) Stores user customisation options for the WordPress interface.
wp-settings-time-{int} 1530782291 Yes (up to one year) Time at which wp-settings-{user} was set.
wp-saving-post {post-id}-saved Yes (up to one day) Used to track if there is saved post exists for a post currently being edited. If exists then let user restore the data.

Infrastructure

Cookie name Example value Persistent? Purpose
NSC_efw.cmpht.de.bd.vl {hash} No (until session ends) Load balancer
PHPSESSID {hash} No (until session ends) Set by PHP, a general purpose identifier used to maintain user session variables.

Local storage

Cookie name Type Persistent? Purpose
fonts.googleapis.com Certificate (ecdsa_sign) Yes Channel ID (a Chrome / Chromium feature for TLS encryption keys).

Auditing third-party plugins and themes

Using the cookie auditing process that was developed (I’ll talk about this soon!), some issues were identified in some plugins and themes that prevented us from utilising them. To accommodate as many types of blogs as possible, we wanted to utilise third-party themes and plugins on our service where possible as a service goal, however we were unable to use some popular ones due to how they handle content from third parties.

Plugin: AddToAny Share Buttons

The plugin places two cookies on a device, utilising a third-party domain (addtoany.com). This kind of technology could be used to track a users’ activity across different websites. Being able to easily share content was an important goal for the Blogs.ed platform, so the team developed a new plugin that outputs “Share” buttons for Facebook, Twitter, LinkedIn and an email link without utilising any additional third-party APIs or services. When any of the buttons or pressed, the user is taken to the appropriate services native share sheet.

Plugin: Easy Twitter Feed Widget

This very popular plugin initialised Twitter APIs which could lead to Twitter being able to collect information about logged-in users. Additionally, the service was initialised on pages even where no feeds were displayed, which would have (an admittedly small) performance impact. We developed another custom plugin which instead utilises the Twitter PHP API (therefore not using any front-end technologies), and provides an easy to use interface for website administrators to return tweets by username or hashtag. Additionally, they can configure the number of tweets to return, and the colours of text/hyperlinks so they can customise it to fit their theme.

Service: Google Analytics

By default, Google Analytics will place up to five cookies on a users machine so it was important that the service gives a visitor the opportunity to prevent this from happening. The Blogs.ed service utilises the same cookie banner system developed for the University website (EdWeb) that presents an interface to a visitor inviting them to review their privacy options, and instructs the service to act accordingly. If they choose to not accept performance cookies, the service will disable Google Analytics for that user.

Theme: TRU Writer

The TRU Writer Theme outputted a “Tweet this” button in the footer, which utilised the Twitter JavaScript API. We really love this theme and what it does, so we contacted the theme developer and offered to develop an “opt-in” functionality for the button – so it could be turned off and therefore not output any of the Twitter JavaScript API. The developer then added a similar function themselves, and updated their theme accordingly (thanks, Alan!).

Giving back to the WordPress community

Without making any commitments, we are looking at the feasibility of releasing our cookie-free share buttons and Twitter widget back to the WordPress community. It’s likely we’ll put them on the team’s GitHub account, stay tuned for any updates!

View the UoE-DLAM repository on the GitHub website

Share

Add a comment:

What's this?

css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel