Cookie consent - Find the code that is setting the Cookies in website - javascript

Hi I am using OneTrust for my Cookie Consent.
OneTrust gives you the option to block cookies before they are set by adding this code.
<script type="text/plain" class="optanon-category-C0002">
// code
</script>
How it works:
When the above code loads, JavaScript inside the tags will not run, and no cookies will be set. Then, when the Cookie Compliance code loads, if cookies for the associated group have consent, it will dynamically change the tag to: script type=text/JavaScript
My Problem:
How do i find the code where the cookies are being set? (Find the file).
If i know where the cookies are set, I can add the code to block it. But i dont seem to find them.
How do you search for them?
I can see in chrome all the cookie names but not sure where they are within the website.
The website has a CMS (DNN, Evoq).
Thanks in advance

Related

inject GA4 script in the html of a static site with javascript

I have the following situation:
a static site, only html pages
a cookie notice system, with my own cookies, accept and refuse system of cookies setup
Now I need to inject the GA4 script into the head of pages when cookies are accepted, but...
I have already made made that, by appending the script to the head and it is visible on browser, on page reload with inspect elements...and it's working perfect.
When users click on accept cookies, the cookies accept is saved on client's side, and the script is APPENDED to page.
But I need the GA4 script to be somehow INJECTED, to be visible on the source page. Like when I preview the source page in browser to have it there. I don't need it to be injected into the html file itself, but only into the browser.
I did my own research about these days, and now it's killing me, as all I could find was the append way, but that is not injecting it into the source page on browser.
Any advice or guidance would be greatly appreciated.
Note (as I have been asking all the time. I don't want to offend anyone, but that's the best way I can explain where I want to do and what):
the source page I'm talking about is when right click on browser and view source page (there is where I need the GA4 code to be inserted)
and the way I got it to work is when right click > inspect > elements tab - (there i have it now working)
Thank you!
First question would be, why do you want it to be in the actual source code? A common way of inserting these scripts is through a tag-management-solution, which basically follows similar logic as appending scripts to the page (i.e. similar to what you meant by the inspect elements route).
To answer your question;
There is an option to get it into the sourcecode, and that is by checking on the server delivering the HTML whether a user has accepted the cookies, if that is the case deliver the HTML file (or adjust the HTML) to contain the GA4 script, if the user didn't accept: deliver the page without the GA4 script.
Since you mention these are static HTML files, I assume there is no server in place where this kind of logic can be inserted. So the best option is to insert the script afterwards.
Another way would be to insert the tag by default, but disable tracking (haven't tested the below part, also, verify yourself whether in your situation this actually blocks tracking when cookies aren't accepted):
window['ga-disable-GA_MEASUREMENT_ID'] = true;
https://developers.google.com/analytics/devguides/collection/gtagjs/user-opt-out
You could try to add this in your HTML before loading the GA4 tag, similar to something like:
<script>
const gaMeasurementId = 'G-12345678'; //replace with your own MeasurementID
let cookiesDeclined = true; //default to declined cookies
document.cookie.split(';').forEach( (cookie) =>{ //loop through all cookies
const cookie_arr = cookie.split('='); //get key/value pairs for cookies
let name = cookie_arr[0]; //cookiename
let val = cookie_arr[1]; //cookieval
if(name === 'cookieConsent' && val === 'accepted' ){
cookiesDeclined = false; //set the declined status to false when user has accepted the cookies
}
})
window['ga-disable-'+gaMeasurementId] = cookiesDeclined;
//->insert ga4 tag here
</script>

Setting Cookies for A/B Testing

I am trying to set up an A/B test where the cookie will appear to 50% of the users. I have the option to place the cookie JavaScript in a field called "Head Include" of the targeted page's HTML's head, but the cookie is not appearing. The following is my script:
document.cookie = 'cname=true; Secure';
The cookie works when I place the script code in the HTML's head on the domain's site level. I have place a setting for the cookies to appear at a specific path. See following
document.cookie = 'cname=true; Secure; path=/test';
But I don't want to use the above script because I want to apply the cookie to a targeted page that will only show for 50% of targeted users and not to the site with a designated path assigned because then the cookie will show 100% of the time for that page, thus defeating the purpose of a A/B test.
My question is can a cookie be set on a specific page's HTML head and not the domain's HTML head? (Please note that names have be generalized in the code for privacy reasons)
I am still not sure if I got the problem.
You are using some kind of CMS and this CMS has the option to include scripts on a specific page ("Head include" on the target page) or an all pages ("HTML head" on domain site level). The first does not work, the latter does, but you dont want your cookie script executed on all pages.
Without seeing the generated HTML code of the (not working) target page we can't find out why its not working. If you can post a link to a prepared page (a page where the script is included and the cookie is not created) that could help to solve the problem.
Another option, without knowing the acutal problem would be shipping the script to all pages but filter the actual execution to a specific file path or url parameter. Example:
// let current = new URL(location.href); // use this to get the current url of the browser
let current = new URL('https://www.someurl.net/some_directory/some_file.ext?a=yes&b=12345'); // just an example url
if (current.searchParams.has('a') && current.searchParams.get('a') === 'yes') {
// put your cookie script here, it will be executed only if the url has an a parameter and if that parameter has the value 'yes'
}
Have a look at MDN for an overview of the properties provided by the URL class

Disable google tag manager according to the decision of single users (opt-out)

In some countries (i.e. Italy), legal requirements oblige website to provide disable/enable analytics cookies
For instance: for Google Tag Manager.
I read this post covers this "opt-in/opt-out analytics topic".
However I still have a question:
Why can't I simply read a cookie server-side which contains the user preference and if I find a given value (i.e. "disable"), set an attribute to be able to conditionally include (or not) the GTM script in my JSP page?
Just to point out, GTM is neither a tracking tool nor does it by itself set any cookies.
More programming related, the GTM code cannot disable itself based on a cookie because GTM needs to be loaded to check if a cookie exists.
Cookies are sent as part of the http request only to the domain that has set the server; GTM resides on a Google server that will not have access to the cookies set on your domain. So if an opt-out cookie is set on your domain the GTM server will not know about it.
Cookies are mostly a client-side technology; GTM interacts with cookies by injecting JavaScript into your page so that it runs in the context of your domain, and then have the script evaluate the contents of your cookie (if you set up a cookie variable or a custom script). At that point the GTM code is already loaded.
That is why you cannot use a cookie to prevent GTM from loading; however you can use a cookie to disable all tags within GTM. If that's not good enough you have to write your own logic to disable GTM conditionally (you could even write a routine in your CMS that doesn't render GTM code based on a cookie - after all that's your own domain, so cookie data is sent along the request; you just cannot expect Google to do this for you).
GTM cannot set the cookie by itself (unless you write a custom HTML tag with a script that sets cookies, which is not different from doing it via inline code), so I will assume for an example that you already a cookie called "opt-out". It does not matter what value is stored in that cookie, we will just check if it is there.
Go to GTM, to the "variables" section, click "new" and select "First Party Cookie". Name it e.g. "Opt Out Cookie" and set the name field to "opt-out". Save. Now you have a variable that checks for the opt-out cookie, returns a value if it is set and returns "undefined" if the cookie is not there.
Now go to the triggers section and create a new trigger of the type page view. Call it e.g. "Opt Out Trigger". In the "fire on" section you select the "Opt Out Cookie" variable in the first field, set "does not equal" as condition and "undefined" as value (so the trigger evaluates true when the cookie is set).
Now go through your tags and add the "Opt Out Trigger" to the tags you want to disable when the cookie is set. Save, publish.
The only caveat is that a pageview trigger might either fire on pageview, DOM ready or pageload. An exception trigger that fires on pageview will not prevent tags from firing that are set to DOM ready or pageload, so you might need multiple exceptions, one for each stage of the loading process.
In a nutshell
A Javascript/jQuery / js-cookie only solution, which "only" works partially for the case of GTM (Google Tag Manager) since it has a <noscript> implementation. See details below.
How to
HTML
<span class="js-ga-opt-out">Disable GA - Javascript solution</span>
<span class="js-ga-opt-in">Enable GA - Javascript solution</span>
Javascript
// note that setCookie(key, value) is a custom function
function optOutGoogleTracking(){
setCookie('_ga', undefined);
setCookie('optOutGoogleTracking', true);
alert('disabling GA cookies');
window.location.reload();
}
function optInGoogleTracking(){
setCookie('optOutGoogleTracking', false);
alert('enabling GA cookies');
window.location.reload();
}
$('html').on("click", ".js-ga-opt-out", function(){
optOutGoogleTracking();
});
$('html').on("click", ".js-ga-opt-in", function(){
optInGoogleTracking();
});
Google Tag Manager script
Note that the content within the <noscript></noscript> tag cannot be conditionally skipped with Javascript.
<script src="https://cdn.jsdelivr.net/npm/js-cookie#3.0.1/dist/js.cookie.min.js"></script>
<!-- Google Tag Manager -->
<noscript>
<iframe src="//www.googletagmanager.com/ns.html?id=GTM-xxxxx"
height="0" width="0" style="display:none;visibility:hidden"></iframe>
</noscript>
<script>
if(Cookies.get('optOutGoogleTracking') === 'false') { // here is your condition
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-xxxxx');
}
</script>
<!-- End Google Tag Manager -->
My understanding is that the <noscript> tag is present for cases where Javascript is disabled. Then the tracking will be done via an iframe.
This solution is probably "good enough" for most cases though.
Is this legally compliant? Probably not.
In a nutshell:
Yes you can save this opt-in/opt-out choice on the server side, and conditionally add the GTM (Google Tag Manager) script according to the relevant attribute value within your JSP.
How to
Html
<span class="js-ga-opt-out">Disable GA - Server side solution</span>
<span class="js-ga-opt-in">Enable GA - Server side solution</span>
Javascript
function optOutGoogleTracking(){
setCookie('_ga', undefined);
// AJAX call to your web service setting the relevant cookie
$.ajax({
url: <optOutGoogleTrackingUrl>,
type: 'GET',
data: { optOutGoogleTracking: true}
})
alert('disabling GA cookies');
window.location.reload();
}
function optInGoogleTracking(){
// AJAX call to your web service setting the relevant cookie
$.ajax({
url: <optOutGoogleTrackingUrl>,
type: 'GET',
data: { optOutGoogleTracking: false}
})
alert('enabling GA cookies');
window.location.reload();
}
$('html').on("click", ".js-ga-opt-out", function(){
optOutGoogleTracking();
});
$('html').on("click", ".js-ga-opt-in", function(){
optInGoogleTracking();
});
JSP
Here we assume that you have set the value of an attribute called optOutGoogleTracking.
Where you store it is up to you, but probably at an application-level scope since it's used across all your website.
I'll assume that you have a custom JSP Tag as explained here, called allThatJazz that allows me to access this value.
<c:if test="${allThatJazz.optOutGoogleTracking==false}">
// put your Google Tag Manager script here
</c:if>
Note: I didn't implement this myself just yet

Chrome - Unable to read sessions for cross domain requests

First I'm apologizing if the title of my question is not correct or not clear. But I will explain my issue below.
Lets say I have a web application called mywebapp.com and i have a page loadjs.php. Here, I have some JS code and the content time of the file is application/javascript.
loadjs.php (mywebapp.com)
header("content-type: application/javascript")
echo "alert('some message here');";
I will use the above file in a page (index.html) of another web app as a javascript source. let's say that it is anotherwebapp.com.
index.html (anotherwebapp.com)
<html>
<head>
<script type="text/javascript" src="//mywebapp.com/loadjs.php"></script>
</head>
<body>
Some contenct here..
</body>
</html>
When this runs, there should be javascript alert as I wrote in loadjs.php (mywebapp.com).
Note:
The above is working without any issue.
My Issue:
Lets assume now I want to display this alret only for the logged in users for mywebapp.com. That means, when a user who has logged in already in mywebapp.com will see an alert when they visit anotherwebapp.com in the same browser.
So my loadjs.php file will be as below.
header("content-type: application/javascript")
if(isset($_SESSION['logged_in']) && $_SESSION['logged_in']==true)
echo "alert('some message here');";
Let's assume that $_SESSION['logged_in'] has been already set after the user login.
It was working properly in Firefox and and IE. But..
Chrome browser was not working properly.
So the reason is, chrome cannot read the session value as other browsers do.
Is there any special reason for this and is there any way to overcome this?
(Please note that the above coding sample is just an example to explain my issue.)
Looking forward to hear from you.
Session is handled server-side, so this is not a Chrome problem.
It could be a caching problem: the js file is first loaded without the alert (because the user is not logged in) but when the user logs in the js is loaded from cache and not downloaded again causing the alert to not display.
Chrome has a pretty "aggressive" caching policy, had some troubles like this before.
You should try to add a timestamp or some kind of dummy value like so that on every page reload you force the javascript file to be downloaded again
<head>
<script type="text/javascript" src="//mywebapp.com/loadjs.php?dummy=
<? echo time() ?>"></script>
</head>
I haven't been using php for quite some time so this might not work but you should get the idea
This is an interesting issue. I do not have an environment to test this right now, but the first thing I would like to do is to print the $_SESSION['logged_in'] while making a request using FF, then Chrome. If for Chrome the value is false, you have to debug why. It could be a crossdomain policy issue.
You can take a look at this: https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
Maybe you need to send this header from mywebapp.com:
Access-Control-Allow-Origin: http://anotherwebapp.com
Please also share if the js console of Chrome shows any error.
Update: the issue was due to chrome browser cookie settings dialed in to be restrictive. Go to chrome://settings/content and make sure Block third-party cookies and site data is not checked.
I had a similar issue.
The reason for your problem is:
The session ID is sent as a cookie, and since your request is cross-domain, it's considered a third party cookie by the browser. Several browsers will block third-party cookies.
The solution to your problem is
Generate the session ID on the client (in the browser), use Javascript sessionStorage to store the session ID then send the session ID with each request to the server.
Details in this article (related to XMLHttpRequest, but your issue is essentially the same): Javascript Cross-Domain Request With Session

Reading Google Analytics cookie from PHP

I'm trying to read __utma Google Analytics cookie from PHP to find out if the user is a new one or not.
My website is on www.domain.com without HTTPS
I've noticed with the chrome console that cookie domain is .www.domain.com ie with a point before the domain. Thus when I try to read cookies with php variable $_COOKIE it does not show up.
I've also notice that with a HTTPS domain, two cookies are created : one with .www.domain.com and a second one with .domain.com which can be read.
Lastly I can read .www.domain.com using Javascript but I would like to do it with PHP.
What am I missing ?
Demo page : http://gandi.buypacker.com/ga/example.php
Apparantly others have had this same issue. Someone has made a class to help parse GA cookies: https://github.com/joaolcorreia/Google-Analytics-PHP-cookie-parser
Make sure you set your cookie domain explicitly in your Google Analytics JS code:
_gaq.push(['_setDomainName', 'www.domain.com']);

Categories