[wp-trac] [WordPress Trac] #46618: Change login behaviour to only set the test cookie when a user attempts to login instead of just on visiting the login page

WordPress Trac noreply at wordpress.org
Fri Apr 5 05:02:25 UTC 2019 

#46618: Change login behaviour to only set the test cookie when a user attempts to
login instead of just on visiting the login page
------------------------------------+----------------------------------
 Reporter:  garrett-eclipse         |       Owner:  (none)
     Type:  enhancement             |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Login and Registration  |     Version:
 Severity:  normal                  |  Resolution:
 Keywords:  2nd-opinion             |     Focuses:  javascript, privacy
------------------------------------+----------------------------------
Changes (by garrett-eclipse):

 * keywords:  needs-patch close => 2nd-opinion


Comment:

 Thanks @ocean90 I appreciate the feedback, you're correct that the current
 implementation requires the page load to save the test cookie. As @Clorith
 pointed out if the cookie is placed on page load it would be nice to
 indicate to the user prior to their login attempt that cookies are
 disabled, this would require a javascript check.

 The main point that came out of raising it in the #core-privacy meeting
 was;
 - Although the cookie only sets a string and doesn't contain any PII
 (Personally Identifiable Information) it's existence can be used to
 identify users browsing behaviours and history.
 Slack Reference - https://wordpress.slack.com/archives/core-
 privacy/p1554319956043300

 Another issue raised by the cookie notice currently is it's often
 misleading as it flags in some cases even when the user has cookies
 enabled.
 For instance - #44544

 A potential improvement to the login behaviour could be to use Javascripts
 `navigator.cookieEnabled` in order to display the cookie error prior to
 login warning the user they need to enable cookies while avoiding a
 cookie, and upon login either attempt to determine cause and display an
 appropriate error or default to a generic error linking to support
 documentation that can elaborate on potential causes.

 I understand the current behaviour requires the test cookie but if the
 suggestion above has any merit I'd be happy to pursue it further.

 All the best

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/46618#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list