Search the Community

--- Module Directory: https://modules.processwire.com/modules/privacy-wire/ Github: https://github.com/blaueQuelle/privacywire/ Packagist:https://packagist.org/packages/blauequelle/privacywire Module Class Name: PrivacyWire Changelog: https://github.com/blaueQuelle/privacywire/blob/master/Changelog.md --- This module is (yet another) way for implementing a cookie management solution. Of course there are several other possibilities: - https://processwire.com/talk/topic/22920-klaro-cookie-consent-manager/ - https://github.com/webmanufaktur/CookieManagementBanner - https://github.com/johannesdachsel/cookiemonster - https://www.oiljs.org/ - ... and so on ... In this module you can configure which kind of cookie categories you want to manage: You can also enable the support for respecting the Do-Not-Track (DNT) header to don't annoy users, who already decided for all their browsing experience. Currently there are four possible cookie groups: - Necessary (always enabled) - Functional - Statistics - Marketing - External Media All groups can be renamed, so feel free to use other cookie group names. I just haven't found a way to implement a "repeater like" field as configurable module field ... When you want to load specific scripts ( like Google Analytics, Google Maps, ...) only after the user's content to this specific category of cookies, just use the following script syntax: <script type="text/plain" data-type="text/javascript" data-category="statistics" data-src="/path/to/your/statistic/script.js"></script> <script type="text/plain" data-type="text/javascript" data-category="marketing" data-src="/path/to/your/mareketing/script.js"></script> <script type="text/plain" data-type="text/javascript" data-category="external_media" data-src="/path/to/your/external-media/script.js"></script> <script type="text/plain" data-type="text/javascript" data-category="marketing">console.log("Inline scripts are also working!");</script> The data-attributes (data-type and data-category) are required to get recognized by PrivacyWire. the data-attributes are giving hints, how the script shall be loaded, if the data-category is within the cookie consents of the user. These scripts are loaded asynchronously after the user made the decision. If you want to give the users the possibility to change their consent, you can use the following Textformatter: [[privacywire-choose-cookies]] It's planned to add also other Textformatters to opt-out of specific cookie groups or delete the whole consent cookie. You can also add a custom link to output the banner again with a link / button with following class: <a href="#" class="privacywire-show-options">Show Cookie Options</a> <button class="privacywire-show-options">Show Cookie Options</button> I would love to hear your feedback ? CHANGELOG You can find the always up-to-date changelog file here.

This module is very much work in progress, but I wanted to get it out as soon as it is somewhat useful, so here we go: say hi to Cookie Table. Cookie Table is essentially a module for managing a list of cookies used on a site. At least around here in Finland it is a necessity to have a list of cookies, regardless of whether they are ones that you need a specific permission for. This list should include key details about each cookie, including name, purpose, and duration. Cookie Table is used to manage this data in the admin, and once you've set up a list of cookies, you can render it on the front-end as a table: echo $modules->get('CookieTable')->render(); ... or using your own custom markup: $cookies = $modules->get('CookieTable')->getCookies(); foreach ($cookies as $cookie) { echo "Cookie name: " . $cookie['name'] . "<br>"; } Now, the reason I'm saying that it's a work in progress — even though it does what I've outlined above — is that there are a lot of things I want to add still. At the moment it is mostly a tool for managing some data in the admin, which is something you could just as easily do via pages, or even simple CKEditor / TinyMCE field. What I am mostly interested is adding some automation: Crawling the site, or at least most important pages, and automatically detecting used cookies Integrating the module in whatever way makes most sense with PrivacyWire Integrating the module with existing cookie databases Adding some way to push/pull updates via web API Once one or more of aforementioned features have been added, I can definitely say that this module is worth its weight 😉 Cookie Table on GitHub Install via Composer: composer require teppokoivula/cookie-table

Hi, I have clients using a processwire site from with other applications (eg browsers in those apps) previously the site was locked down on IP ranges and login was not required. Now that is changed and login is required. One of the clients now get 500 internal server error when trying to login. I think it is related to the session cookies. This is what I've tried: In httpd.conf: Header always set Content-Security-Policy "frame-ancestors 'self' client1.domain.com client2.domain.com"; This I can see also see is set by looking at the headers. Then I'm trying to set SameSite=None wich I can't get to be working, I've tried: In .htaccess: Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=None In site/config.php: ini_set('session.cookie_samesite', 'None'); and... $config->cookieOptions = [ 'secure' => true, 'samesite' => 'None', ] But still cookies looks like this: Does anyone have an idea why the cookie options seems to be the same, no matter how I configure above? And do you believe I'm on the the right path solving the issue or can it be something else? Running an old Processwire 3.0.123-0 Thanks

Just working on a new module for a customer who is concerned about the wire frontend cookie set w/o prior consent by the user. The customer uses frontend forms which require session cookies (wire) e.g. for CSRF checks, input validation, failed attempt restrictions etc. So he wanted to show a cookie dialogue asking for consent for technical required cookies, even if this is not 100% required by the DSGVO. First used a modified PrivacyCookie module to achieve this, before I went to create a minimalistic module myself. My module hooks before page::render and adds a cookie consent dialogue which asks for consent for technical required cookies and shows an Accept/Decline button and links to imprint and privacy policy sites. My module also hooks into $config->sessionAllow and sets it to true if user gave consent, requested a backend page or a wire session already exists. This way wire cookie is only created in frontend if user gave consent. On the form page of my customers site the display and processing of the frontend form is wrapped in a $session->hasCookie() block to execute only after user gave consent. Without consent a message is shown that using the form requires cookies. By default the consent cookie is stored for 7 days if accepted, so the cookie dialogue won‘t show up on next visit unless user cleared cache. If user declined, the consent cookie expires after the browser session so the cookie banner pops up again on next browser session. So who may be using this module? Clients only using technical required cookies by default (no google fonts, youtube etc.) maybe with an optional frontend form, which are still afraid or simply want to have a cookie consent dialogue before the PW wire frontend cookie gets created. Will do some more tests and polishing, before uploading the module to my Github repository.

I embed youtube videos and google maps into my site in various ways. To make the site privacy compliant, I would like to display an overlay above each video and map with a button “Load content” (loads the content once) and “Always load content” (sets the corresponding privacy wire cookie an loads the contents always). Is there already a solution for this? What is the best way to do this?

Ah, sorry to mix the two things together. The download issue was backstory on why I was looking in the console and happened to see the error found within the session cookie string. The actual question related to Tracy was how I might be able to expose that error message (from the session cookie) in a log, if at all. I was thinking it was remnant files/folders from prior module versions that were upgraded, but if they're intended to be there, then I have no need or desire to remove them. Thanks for the quick clarification there!

Hi, I work for UK and EU clients. I remember about five years ago when GDPR came in there was a panic due to the potential fines and the things people did ranged from nothing at all to extreme UX disasters where the first thing you saw was a huge popup giving the user the opportunity to break the site. Since this is a legal area and I am not qualified to do so I do not give clients any advice in this area but will implement whatever kind of policy they decide on. To date many clients are happy to have a cookie notice that acts as a warning rather than manage specific cookies as it saves them disabling Google Analytics, paying for legal advice, etc. A client has raised a concern that since 2019 we should have started giving users the option to disable different types of cookies and therefore the above approach does not meet this legal requirement. Anecdotally, many small sites either do nothing at all or have a cookie warning as above. It seems to be a minority of sites, generally bigger ones, that allow for full on cookie management (i.e. blocking of non-essential cookies) and therefore are likely in a small group that are fully compliant. I've had a quick look today and am unsure on how to implement this. Am I right in saying there are two primary ways: Use a paid third-party service that scans your site for scripts that uses cookies; this handles the popup and management for you Use a jQuery/JS plugin that handles the interface but not the cookie blocking — you do this yourself It also looks like there is a WordPress plugin for this that WP users can use. Do these work like option 2 above or can they actually scan your site? Are there any PW or JS plugins that I should be aware of that can help me out here? I'm just after a bit of general advice from anyone who has PW sites and has implemented cookie management. Thanks.

Hello all, is there a way to prevent the creation of the Processwire frontend Cookie wire until the user has confirmed/opt-in to allow technical required Cookies? Not too sure, if the wire Cookie is technical really required for PW to do it‘s job (show frontend stuff, remember layout etc.). In Germany it‘s still a bit fuzzy, what technical required means to a lawyer. So ideally there shouldn‘t be set any Cookie without opt-in by the frontend user, unless it is really technical required. Can anybody shine some light on this aspect? For what is the wire Cookie used in the frontend layer, or in other words technical required by the PW frontend? What parts - except admin/backend - of PW wouldn‘t work without that cookie? Looking forward for some hints on that topic.

Hello Fire, I can see you've put a lot of effort in helping to solve this so thanks for that, here is all the data from Firefox debugger: Headers Response: HTTP/2 504 server: nginx date: Wed, 23 Apr 2025 14:56:32 GMT content-type: text/html content-length: 160 X-Firefox-Spdy: h2 Request Headers POST /control/page/edit/?id=1&InputfieldFileAjax=1 HTTP/2 Host: poeshappyplace.co.uk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd X-FILENAME: Untitled-2.png X-FIELDNAME: upload Content-Type: application/octet-stream X-TOKEN1027973821X1745402814: siSF1CH8q.0WZrbaHLdq0L0z.LhNvGRm X-REQUESTED-WITH: XMLHttpRequest Content-Length: 17481650 Origin: https://poeshappyplace.co.uk Connection: keep-alive Referer: https://poeshappyplace.co.uk/control/page/edit/?id=1 Cookie: pagelist_open=JSON%5B%221-0%22%5D; wires_challenge=Fe1sdoBFEE6xRXKvRdBmNztesp%2FtkiDf; wires=659c1ebb45dd2830f72c4db8969fc57f; cpsession=%3aoH5Knnk_sYcRqUrk%2c8bdec0a2f45dd7304be705768bc383a6; timezone=Europe/London Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin TE: trailers Stack Trace uploadFile https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:8629 traverseFiles https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:10645 InitHTML5/initHTML5Item/< https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:10818 (Async: EventListener.handleEvent) initHTML5Item https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:10765 InitHTML5/< https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:4113 each https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:4048 each https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:1235 InitHTML5 https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:4034 <anonymous> https://poeshappyplace.co.uk/wire/modules/Inputfield/InputfieldFile/InputfieldFile.min.js:1:13726 fire https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:43765 fireWith https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:44935 ready https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:47825 completed https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:48339 (Async: EventListener.handleEvent) jQuery.ready.promise https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:48608 <anonymous> https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:49098 <anonymous> https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/ JqueryCore.js:1:261 <anonymous> https://poeshappyplace.co.uk/wire/modules/Jquery/JqueryCore/JqueryCore.js:1:272 Seems like it's timing out after the download at which point i assume it's doing the database interaction, it doesn't write an error to any of the logs, it just times out. One host has confirmed that they are recoeving a ReceiveAckHdr: timeout 300 is exceeded error in their logs, their ReceiveAckHdr is set to 5 minutes which i would have thought would be more than enough, i can confirm this as in developer tools i can see that: https://poeshappyplace.co.uk/control/page/edit/?id=1&InputfieldFileAjax=1 sits there for about five minutes before returning a 501 timeout error, i hope this helps and if you require any further information to debug this, thank you for helping me with this. Thanks, Mark.

hi .. Unable to log into ProcessWire admin dashboard. After submitting valid credentials, the URL changes to /dashboard, but the login form reloads without errors. The system throws: ProcessLogin: This request was aborted because it appears to be forged. Observed Behavior: No error messages (e.g., "wrong password"). CSRF token validation failure (request appears forged). Login form reloads instead of redirecting. Environment Details: PHP Version: 8.2 Server: plesk with custom .htaccess. Key Configurations Checked:config.php: $config->sessionCookieSecure = true; $config->sessionCookieDomain = '.alfalgroup.com'; $config->protectCSRF = true; $config->debug = true; .htaccess: Custom rules overriding session/cookie security. Headers unsetting cookies (Header unset Set-Cookie). PHP directives forcing insecure cookies (session.cookie_secure 0). Steps Taken So Far: Cleared sessions/caches (site/assets/sessions/, site/assets/caches/). Updated .htaccess to enforce HTTPS and remove conflicting directives. Verified file permissions (755 for directories, 644 for files). Temporarily disabled CSRF protection ($config->protectCSRF = false), but issue persists. how fix please

I'm not sure in which cases specifically, but the menu sometimes needs a cookie/cache reset as well. I'm always using Tracy Debugger for that:

The error message in the session cookie will be displayed in the console results pane on page reload - it's not logged because it will only ever be populated from code that is run in the console panel.

@BrendonKoz - the tracyCodeError cookie is only ever set by the Console Panel so I think that might not be related at all to the download issue. In fact I am not Tracy will be able to help you with that because the html download attribute isn't PHP. Or am I missing something? As for the tracy-2.x folders - each is a different version depending on the version of the PHP you are running: https://github.com/adrianbj/TracyDebugger/blob/d48ebdc0d962c34042651f82b388df93e872ab81/TracyDebugger.module.php#L355-L366 You can delete the unused ones if you want, but they'll just come back next time you update Tracy. May I ask why you want to delete them?

Hi all, Introducing a new GDPR Cookie Management Banner module. https://github.com/adrianbj/CookieManagementBanner https://modules.processwire.com/modules/cookie-management-banner/ This module was sponsored by VentureWeb in Squamish, BC, Canada. I converted a Drupal module written by Oliver Walker from VentureWeb into what you see here. The Drupal module requires jQuery so at the moment, this module also requires jQuery. I will probably remove this sometime soon. This module certainly has similarities to MarkupCookieConsent but provides the user with the following features: The user can accept all cookies or they can choose to not accept tracking/marketing cookies. Module config options allow you to: define all text and button labels (multi-language support) manually increment the cookie policy version which forces the user to review their consent again select whether users can manage their cookies, or just accept all option to limit display of banner to users only in European Union (by IP address) position selection (top or bottom overlay, or content pushed down from the top) It comes with basic default styling which is easily overwritten by site CSS The module sets various values to the dataLayer array which works together with Google Tag Manager - please read through the code in /assets/js/CookieManagementBanner.js to get a better idea of how this works and what is made available for GTM. You can wrap your tracking/marketing cookie code in a check for the localstorage key of: pwcmbAllowCookies if(localStorage.getItem('pwcmbAllowCookies') == 'y') You can also provide a link on your site (probably in the footer) like this that will allow the user to show the banner even after they have saved their preferences / accepted. <a href="#cookies" class="js-pwcmb-notice-toggle">Manage Your Cookies</a> Would love to hear feedback from anyone who gives this a go.

Good day! I've got one of my sites security checked and this is the stuff (they say) I need to fix: I can see that "Domain" is set to current domain that makes it the same as it was missing, but those who check do not know that. Can I remove Domain attribute from the cookie? It seems like I can't do it via config. As far as I understood reading this, I need to add "__host-" to all the cookie names. I can rename "wire" to "__host-wire" in config, but is there a way to apply it all cookies set by PW automatically? Or maybe I do not need it for anything but session cookie. Can't get my head around it (( Thanks)

Hi @joshua, I am getting the following error while trying to implement cookie consent for a Youtube iFrame: Uncaught TypeError: "text/javascript".poster is undefined What am I doing wrong? I tried both Ryan's TextFormatterVideoEmbed and manually adding all the attributes. All works fine but the src of the iframe is never resolved which I guess is due to the error above. Any help is appreciated thanks Edit: I am pretty sure this is caused by an error/missing semicolon in the PrivacyWire JS. Not sure how this works for anyone??

I put the styles for it in the head section of my html/_main.php manual in a <style>-tag. For example: <style> /* Cookie Banner */ .show-banner>.privacywire-page-wrapper, .show-options>.privacywire-page-wrapper, .show-message>.privacywire-page-wrapper { position: fixed; left: 0; top: 0; right: 0; bottom: 0; background: rgba(0, 0, 0, 0.6); backdrop-filter: blur(5px); display: flex; justify-content: center; align-items: center; } .privacywire { display: none; } .show-banner .privacywire.privacywire-banner, .show-options .privacywire.privacywire-options, .show-message .privacywire.privacywire-message { display: block; position: relative; left: auto; right: auto; bottom: auto; max-width: 850px; padding: 2rem; color: #000; background-color: #fff; } .privacywire-page-wrapper input { margin-right: 0.5rem; } .privacywire-page-links { margin-top: 1rem; } .privacywire-buttons button, .privacywire-page-links a { margin: 0.5rem 0.5rem 0.5rem 0; } @media screen and (min-width: 992px) { .privacywire-buttons button, .privacywire-page-links a { margin: 0.5rem; } /* Don't give the first button margin-left */ .privacywire-buttons button:first-child, .privacywire-page-links a:first-child { margin-left: 0; } } </style> So it loaded as first. That resolved it for my sites. (Also with fixed/relative notation)

@sz-ligaturMost ProcessWire global config stuff is not available within the early stage of the bootup process inside $config->sessionAllow. My sessionAllow function looks like follows and works as supposed. $config->sessionAllow = function($session) { // Allow sessions in backend. if (strpos($_SERVER['REQUEST_URI'], '/your_path_to_pw_backend/') > 0) return true; // Enable PW session in frontend if user accepted cookie consent notice. if (array_key_exists('pwconsent', $_COOKIE) && $_COOKIE['pwconsent'] == 'allow_necessary') return true; // If a PW cookie is present, session is likely already in use so we keep it. if ($session->hasCookie()) return true; // Otherwise we disable cookies in the frontend. return false; }; I enable Cookies if request Url contains backend path (2nd line) or if a pwconsent cookie was found. This Cookie is set via my template file in case user gave his consent for using technical required cookies via module PrivacyWire. Cookies are required in frontend to protect my form (e.g. CSRF protection, etc.). As PrivacyWire uses localStorage to store users consent action, I put the following JS code at the end of my template _main.php just before closing body tag to create a Cookie in case user gave consent to technical required cookies on my site. Why? Cookies access is easier in PHP than trying to read from localStorage (e.g. via AJAX). <script> // Check if user already accepted technical required cookies. let json = localStorage.getItem('privacywire') || ''; if (json) { data = JSON.parse(json); if (data?.cookieGroups?.necessary) { // (Re-)create session cookie if user agreed usage via local storage. if (document.cookie?.indexOf('pwconsent=') == -1) { document.cookie = 'pwconsent=allow_necessary;path=/;SameSite=Lax;'; setTimeout(function() { window.location = "<?=$page->httpUrl?>"; }, 0); } } else { // Avoid that user gets locked out by e.g. changing local storage values manually. localStorage.removeItem('privacywire'); } } </script>

Yes that is what i mean. But the Analytic code is not loaded until the user is accepting the cookie. In this time, the Cookie Banner is loaded without the Google code and the "above the fold" content is also loaded without it. The Google code should be there 2-5 rows (w/o compression) as Plain-Text, but not as processed code from the browser. So there was no "loading". When the GoogleAnalytic Code is written in the FrontEnd files, there is also no ProcessWire field, who was/wasn't loaded it. So no database interaction, no server process time used for it. And not process by the browser until the cookie banner give the signal. If the GoogleAnalytic Code comes completely from a module and is not self wrote in the source code, then yes, the loading of the site trigger the module to load the GoogleAnalytic code (not the trigger itself), but the loading "delay" can be prevented with the template-cache again. The "loading" part are 5(?) rows of plain-text, what the browser is not interacted with, until the cookie banner say so. When you use PageSpeed, 90% of the performance problems are bad compressed image, not lazy loading (what is more or less what you describe!) and using of wrong technics (like not optimized above the fold content).

I changed my default setcookie() functions to the newly added $input->cookie method as described in https://processwire.com/blog/posts/pw-3.0.141/ Just noticed no cookies are saved when using PW's $input->cookie->set() (in template file). I am using PW 3.0.148, PHP 7.3 and testing with setcookie('test', 'test') works just fine. Tried to add age, path and domain as well, but nothing works. setcookie('defaultsetcookie', 'works'); $config->cookieOptions = [ 'age' => 604800, 'path' => null, 'domain' => null, 'secure' => null, 'httponly' => false, 'fallback' => true ]; $c = $input->cookie->set('pwcookie', 'wontwork'); print_r( $c ); print_r( $_COOKIE ); Output ProcessWire\WireInputDataCookie Object ( [defaultsetcookie] => works [wire] => 89ortkjmq5dsgb7em2h6ljod9v [pwcookie] => wontwork ) Array ( [defaultsetcookie] => works [wire] => 89ortkjmq5dsgb7em2h6ljod9v [pwcookie] => wontwork ) Any idea what is wrong? It is strange setcookie() works but PW methods won't.

Hey @Sebi, I had zero problems for several months, but today a client told me that a site, that was working perfectly, suddenly stopped working. I have a SvelteKit WebApp that uses PW as API with AppApi and all other routes are working fine (status code 200, correct json) except of those called via /api/page/... The (API) webserver gives a status code 500, although outputting correct json: curl -v -H "Origin: https://domain.com" https://api.comain.com/api/page/touren * Trying XX.XX.XX.XX:443... * Connected to api.domain.com (XX.XX.XX.XX) port 443 (#0) * ALPN: offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 * ALPN: server accepted h2 * Server certificate: * subject: CN=api.domain.com * start date: Dec 9 14:27:01 2024 GMT * expire date: Mar 9 14:27:00 2025 GMT * subjectAltName: host "api.domain.com" matched cert's "api.domain.com" * issuer: C=US; O=Let's Encrypt; CN=R10 * SSL certificate verify ok. * using HTTP/2 * h2 [:method: GET] * h2 [:scheme: https] * h2 [:authority: api.domain.com] * h2 [:path: /api/page/touren] * h2 [user-agent: curl/8.1.2] * h2 [accept: */*] * h2 [origin: https://domain.com] * Using Stream ID: 1 (easy handle 0x14c00c600) > GET /api/page/touren HTTP/2 > Host: api.domain.com > User-Agent: curl/8.1.2 > Accept: */* > Origin: https://domain.com > < HTTP/2 500 < server: nginx < date: Thu, 09 Jan 2025 23:51:40 GMT < content-type: application/json < expires: Thu, 19 Nov 1981 08:52:00 GMT < cache-control: no-store, no-cache, must-revalidate < pragma: no-cache < x-powered-by: ProcessWire CMS < access-control-allow-origin: https://domain.com < access-control-allow-headers: Content-Type, AUTHORIZATION, X-API-KEY < access-control-allow-credentials: true < x-original-status: 200 < set-cookie: wires=krcrpn4pn6v9pc16mbqXXXXXX; path=/; secure; HttpOnly; SameSite=Lax < x-frame-options: SAMEORIGIN < x-xss-protection: 1; mode=block < {"last_modified":1729504403,"tours":[{...}]... (json is fine) I tried a lot, but there is nothing in the logs indicating a solution. Maybe you have an explanation or can give me a hint? This was working perfectly fine for more than a year and suddenly stopped working, although nothing (PHP version, PW version, code) changed in the last few months (at least nothing that I am aware of). Any help is appreciated. Thanks, Flo

My clients wants a modal to show up on every page. But when a user clicks inside the modal -> a session-cookie is set and the modal gets a class. // user clicks on modal button $('.modal_button').click(function(){ // 1. set PW session cookie // 2. toggle class $('.modal').toggleClass('off'); }); I know how to set a cookie on page-load via PW-API. But the click on the modal button does not force a page-load. So i have to set the cookie through javascript. Is there a way to do that?

Hi all, is there an easy way to implement login and session handling that doesn't require cookies? I'm thinking about passing the session ID as a URL parameter instead of a cookie (like good old PHPSESSID) but I cannot get it working. I can easily append the URL parameter, but I cannot "restore" the session on the server. Do you think it's possible or is the cookie behaviour hardcoded in Session.php? Background: Browsers are working towards more privacy protection and banning "3rd party cookies". While this primarily targets tracking services, it applies to all sites embedded as an iframe. We are using Processwire like an iframe "Applet" for other websites and we start seeing problems (user logins reset) due to the new privacy policies. Safari has already implemented this, Chrome has scheduled this as a standard for 2022 but already has a privacy setting for this feature.

Hello Everyone, For our KIT325 Cybersecurity Project, we recently checked the security of ProcessWire CMS, a system used for managing website content. We wanted to see if its default settings are secure enough based on the OWASP Top 10 standards, which are common web security guidelines. Here’s a quick look at what we found and what could be improved: Blocking Brute Force Login Attempts: What We Found: ProcessWire does slow down login attempts if someone keeps trying the wrong password. But it only blocks based on username, not by tracking where the login attempts come from (like IP addresses). Suggestion: It would be safer if ProcessWire blocked login attempts based on IP as well. Also, the system could use a response code like “429 Too Many Requests” to alert attackers that they’re being blocked. Session Cookie Security: What We Tried: Session cookies (used to keep users logged in) seem secure, but we couldn’t fully test if they were safe from all advanced attacks. Future Testing: We’d need more tools and knowledge to explore if these session cookies could ever be forged to trick the system. File Access Control: What We Saw: Files from unpublished pages could still be accessed if someone knew the file path, which could leak private information. Fix: ProcessWire should make a certain setting ($config->pagefileSecure) enabled by default to restrict file access based on page permissions. This way, only authorized users can see those files. HTTPS (Secure Connection) Enforcement: Current Setup: ProcessWire requires HTTPS (secure connection) settings to be turned on manually in the .htaccess file, which may not be done by every user. Recommendation: It would be better if HTTPS were enabled by default, so all sites are secure right from the start. Improving Activity Logs: Missing Logs: Some important activities like content changes and role updates aren’t logged by default. Suggestion: ProcessWire should add logs for these actions. This way, any unusual activity can be tracked and traced back to the user who made the changes. Password Rules: Issue: Passwords set through the API (another way to interact with the system) might not meet the same security rules as those set in the admin panel. Improvement: ProcessWire should require all passwords to meet the same standard, ideally making them at least 12 characters long and easier for users to remember. Overall, ProcessWire has a strong security foundation, but these adjustments could make it even safer. This experience showed us the value of secure default settings, especially for users who might not make these changes on their own.

Hi, Has anyone created descriptions for the cookies set by ProcessWire for use in privacy policies? I see two at the root level -- wires and wires_challenge. Would love not to reinvent the wheel. I could turn them off on the front end for non-admin users, but would rather have them covered in case we add features later where they are needed. Thanks, Jason