Cookie audit findings on Blogs.ed
As part of the Blogs.ed service planning, the service team identified a number of third-party plugins, themes and services that we wanted to integrate into the new service. We have collated our own cookie findings for an out-of-the-box WordPress installation, and also detailed how issues with third-party services were mitigated.
Cookies / local storage on our service
Information on cookies set by WordPress seems to be a little fragmented, with the WordPress Codex displaying less detail than the WordPress Cookie Policy page.
WordPress Cookies page on codex.wordpress.org
WordPress Cookie Policy on wordpress.org
The table below displays default WordPress cookies and local storage usage on our service with names, sample data and purpose.
WordPress core and administration areas
| Cookie name | Example value | Persistent? | Purpose |
|---|---|---|---|
| wordpress_logged_in_{hash} | {username}%{hash}%{hash} | Yes (up to two weeks) | Set when the user logs in, and who they are. |
| wordpress_sec_{hash} | {username}%{hash}%{hash}%{hash} | Yes (up to two weeks) | Stores logged-in user authentication details (in WordPress admin). |
| wordpress_test_cookie | WP+Cookie+check | No (until session ends) | Tests if the device can receive cookies. |
| wp-settings-{int} | editor%3Dtinymce%26hidetb%3D0 | Yes (up to one year) | Stores user customisation options for the WordPress interface. |
| wp-settings-time-{int} | 1530782291 | Yes (up to one year) | Time at which wp-settings-{user} was set. |
| wp-saving-post | {post-id}-saved | Yes (up to one day) | Used to track if there is saved post exists for a post currently being edited. If exists then let user restore the data. |
Infrastructure
| Cookie name | Example value | Persistent? | Purpose |
|---|---|---|---|
| NSC_efw.cmpht.de.bd.vl | {hash} | No (until session ends) | Load balancer |
| PHPSESSID | {hash} | No (until session ends) | Set by PHP, a general purpose identifier used to maintain user session variables. |
Local storage
| Cookie name | Type | Persistent? | Purpose |
|---|---|---|---|
| fonts.googleapis.com | Certificate (ecdsa_sign) | Yes | Channel ID (a Chrome / Chromium feature for TLS encryption keys). |
Auditing third-party plugins and themes
Using the cookie auditing process that was developed (I’ll talk about this soon!), some issues were identified in some plugins and themes that prevented us from utilising them. To accommodate as many types of blogs as possible, we wanted to utilise third-party themes and plugins on our service where possible as a service goal, however we were unable to use some popular ones due to how they handle content from third parties.
Plugin: AddToAny Share Buttons
The plugin places two cookies on a device, utilising a third-party domain (addtoany.com). This kind of technology could be used to track a users’ activity across different websites. Being able to easily share content was an important goal for the Blogs.ed platform, so the team developed a new plugin that outputs “Share” buttons for Facebook, Twitter, LinkedIn and an email link without utilising any additional third-party APIs or services. When any of the buttons or pressed, the user is taken to the appropriate services native share sheet.
Plugin: Easy Twitter Feed Widget
This very popular plugin initialised Twitter APIs which could lead to Twitter being able to collect information about logged-in users. Additionally, the service was initialised on pages even where no feeds were displayed, which would have (an admittedly small) performance impact. We developed another custom plugin which instead utilises the Twitter PHP API (therefore not using any front-end technologies), and provides an easy to use interface for website administrators to return tweets by username or hashtag. Additionally, they can configure the number of tweets to return, and the colours of text/hyperlinks so they can customise it to fit their theme.
Service: Google Analytics
By default, Google Analytics will place up to five cookies on a users machine so it was important that the service gives a visitor the opportunity to prevent this from happening. The Blogs.ed service utilises the same cookie banner system developed for the University website (EdWeb) that presents an interface to a visitor inviting them to review their privacy options, and instructs the service to act accordingly. If they choose to not accept performance cookies, the service will disable Google Analytics for that user.
Theme: TRU Writer
The TRU Writer Theme outputted a “Tweet this” button in the footer, which utilised the Twitter JavaScript API. We really love this theme and what it does, so we contacted the theme developer and offered to develop an “opt-in” functionality for the button – so it could be turned off and therefore not output any of the Twitter JavaScript API. The developer then added a similar function themselves, and updated their theme accordingly (thanks, Alan!).
Giving back to the WordPress community
Without making any commitments, we are looking at the feasibility of releasing our cookie-free share buttons and Twitter widget back to the WordPress community. It’s likely we’ll put them on the team’s GitHub account, stay tuned for any updates!
View the UoE-DLAM repository on the GitHub website
Share
