Is it possible to block cookies from being set using Javascript or PHP?

I'm pretty interested in this answer too. I've accomplished what I need to accomplish in PHP, but the JavaScript component still eludes me.

Here's how I'm doing it in PHP:

$dirty = false;
foreach(headers_list() as $header) {
    if($dirty) continue; // I already know it needs to be cleaned
    if(preg_match('/Set-Cookie/',$header)) $dirty = true;
}
if($dirty) {
    $phpversion = explode('.',phpversion());
    if($phpversion[1] >= 3) {
        header_remove('Set-Cookie'); // php 5.3
    } else {
        header('Set-Cookie:'); // php 5.2
    }        
}

Then I have some additional code that turns this off when the user accepts cookies.

The problem is that there are third party plugins being used in my site that manipulate cookies via javascript and short of scanning through them to determine which ones access document.cookie - they can still set cookies.

It would be convenient if they all used the same framework, so I might be able to override a setCookie function - but they don't.

It would be nice if I could just delete or disable document.cookie so it becomes inaccessible...

EDIT: It is possible to prevent javascript access to get or set cookies.

document.__defineGetter__("cookie", function() { return '';} );
document.__defineSetter__("cookie", function() {} );

EDIT 2: For this to work in IE:

if(!document.__defineGetter__) {
    Object.defineProperty(document, 'cookie', {
        get: function(){return ''},
        set: function(){return true},
    });
} else {
    document.__defineGetter__("cookie", function() { return '';} );
    document.__defineSetter__("cookie", function() {} );
}

I adapted Michaels codes from here to come up with this.

Basically it uses the defineGetter and defineSetter methods to set all the cookies on the page and then remove the user specified ones, this role could of course also be reversed if this is what you are aiming for.

I have tested this with third party cookies such as Google Analytics and it appears to work well (excluding the __utmb cookie means I am no longer picked up in Google Analytics), maybe you could use this and adapt it to your specific needs.

I've included the part about if a cookies name is not __utmb for your reference, although you could easily take these values from an array and loop through these that way.

Basically this function will include all cookies except those specified in the part that states if( cookie_name.trim() != '__utmb' ) { all_cookies = all_cookies + cookies[i] + ";"; }

You could add to this using OR or AND filters or pull from an array, database, user input or whatever you like to exclude specific ones (useful for determining between essential and non-essential cookies).

function deleteSpecificCookies() {

var cookies = document.cookie.split(";");
var all_cookies = '';

    for (var i = 0; i < cookies.length; i++) {

        var cookie_name  = cookies[i].split("=")[0];
        var cookie_value = cookies[i].split("=")[1];

        if( cookie_name.trim() != '__utmb' ) { all_cookies = all_cookies + cookies[i] + ";"; }


    }

if(!document.__defineGetter__) {

    Object.defineProperty(document, 'cookie', {
        get: function(){return all_cookies; },
        set: function(){return true},
    });

} else {

    document.__defineGetter__("cookie", function() { return all_cookies; } );
    document.__defineSetter__("cookie", function() { return true; } );

}

}

A little bit old but I think you deserve a answer that works:

Step 1: Don't execute the third party script code.

Step 2: Show the cookie banner.

Step 3: Wait until user accepts, now you can execute the third party script code..

Worked for me.


You can not disable it completely but you can override the default setting with .htaccess

Try

 SetEnv session.use_cookies='0';

If it is optional for some users don't use .htaccess

if(!$isAuth)
{
    ini_set('session.use_cookies', '0');
}