Usage of cookies in plugin language filter

[andrepereiradasilva]

Issue

The language filter plugin uses cookies to save the user selected language. Two things to consider:

1. In an HTTPS only site shouldn't the language cookie be Secure and HTTP only?
2. What if the website admin doesn't want to use the language cookie, for instance, because of caching servers, since HTTP pages with cookies (especilly with hashes) can be very hard to configure in caching servers. How can the language cookie be disabled and only be used browser language/site default language to check the user language?

How to test

On a multilanguage website with language filter plugin enabled and check the cookies generated. There will be two cookies (the session cookie and the user language cookie)

1. If in an HTTPS site, the language cookie is not secure and HTTP only, like the session cookie is.
2. There is no way to disable the language cookie (only can set the cookie for session or year) in the language filter plugin.

System information (as much as possible)

Nginx 1.9.1
PHP 5.6.8
Joomla 3.4.1

[infograf768]

Adding a parameter to not create/use the cookie is easy.
I would not know how to make the language cookie secure on an HTTPS site.

[Bakual]

Making the cookie secure should be as easy as setting the secure flag in our API when creating it.

[andrepereiradasilva]

php setcookie has an option for that:
bool setcookie ( string $name [, string $value [, int $expire = 0 [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]]]] )
See http://php.net/manual/en/function.setcookie.php

Also, if using sef urls with language code is the cookie really needed? If not using lang code in sef urls i understand why the cookie is needed, but with sef urls with lang code the language code always reach the server via the sef url right? Or is there another use for the cookie?

[infograf768]

Also, if using sef urls with language code is the cookie really needed? If not using lang code in sef urls i understand why the cookie is needed, but with sef urls with lang code the language code always reach the server via the sef url right? Or is there another use for the cookie?

The language cookie is especially useful when Remove URL Language Code is set. Also to redirect a user after login to his site language when Automatic Language Change is set.

[Bakual]

php setcookie has an option for that:

Our own API has that as well. See https://github.com/joomla/joomla-cms/blob/staging/libraries/vendor/joomla/input/src/Cookie.php#L84.

I wonder if it's needed however. Especially on sites with mixed content you could get the issue that you browse the site in german and when you switch to the SSL content you get back to the english (or whatever) one because the cookie would be a different one.
The cookie doesn't contain any sensible data at all, so it's not like it has to be secure for that reason.

[andrepereiradasilva]

@Bakual in my humble opinion if a site admin makes the option to put all the site in HTTPS, reggarding the information is sensible or not, the cookies should respect that.

Also it seems the language filter plugin is not using joomla API in that reggarding
Examples:

• https://github.com/joomla/joomla-cms/blob/staging/plugins/system/languagefilter/languagefilter.php#L506
• https://github.com/joomla/joomla-cms/blob/staging/plugins/system/languagefilter/languagefilter.php#L591

[smz]

@Bakual I think I can fix this in #7055, in the new setLanguageCookie()... What do you think?

[Bakual]

@smz Let me merge the other one first. Then you can improve the setLanguageCookie method with this.

[smz]

#7061 should fix this...

[zero-24]

Closing as we have a PR by @smz Thanks 😄