Remove forum.safedev.org cookies and tracking

[S-Coyle]

latest report on cookies and tracking attached - note that the cookies and tracking from hub.safedev.org will be removed as part of issue #35 :
webscan for safedev.org_27_08_2018,11_09_18.xlsx

[nadiaburborough]

@S-Coyle as #35 is resolved, are you happy that this task is also resolved?

[S-Coyle]

@nadiaburborough No this issue is not resolved - there are still cookies & tracking on forum.safedev.org which this issue relates to, while #35 relates to hub.safedev.org.

The forum runs on Discourse which has essential cookies in order to operate, see https://meta.discourse.org/t/list-of-cookies-used-by-discourse/83690. I know @dugcampbell was looking into this a bit more.
Also note that as it is a forum, some user posts have resulted in cookies/tracking - e.g. users have added YouTube videos to posts, which results in YouTube cookies.

[nadiaburborough]

Ah! thanks @S-Coyle I miss read the title - I saw safedev and interpreted as DevHub! Good to know DevHub is sorted. Cheers

[david-maidsafe]

@S-Coyle, @nadiaburborough & @frabrunelle - I wouldn't consider this as an issue with DevHub and rather a "thing" with the forum. Am I barking up the wrong tree here?

[S-Coyle]

Been doing a fair bit of digging on this today along with @victoriarussell.
Nearer the time that this issue was raised, the team disabled as many cookies as they could through discourse.
Scans today have given the following results:

• hub.safedev.org - no cookies or tracking
• forum.safedev.org - no cookies or tracking.

However, we also ran a scan on the whole safedev.org domain and it reported finding a _cfduid cookie. This type of cookie is from cloudflare, which is used on the forum. Strange that scans of the forum itself are not reporting it though. We are investigating further.

On manually checking forum.safedev.org we noticed 2 session cookies which are created when a user logs in, and are needed for switching from page to page as a logged in user. These cookies are:

• _forum_session
• _t

We found no other cookies.

[victoriarussell]

I have asked Francis to remove the _cfduid cookie as he can do the redirect with Discourse itself instead of CloudFlare, that way this cookie wouldn't be there.

I have asked discourse what kind of cookie the _t one is. I think it is a persistant one but want to double check

[victoriarussell]

This is on hold for a short while as Francis advised the following:

I just remembered why I had used CloudFlare for the redirect. It's because otherwise it's challenging to do the redirect via HTTPS because I would have to configure another SSL certificate for the domains/subdomains that are being redirected (e.g. https://safedev.org and https://www.safedev.org). It's simpler to just use CloudFlare. I don't think simply following the steps in the post I previously linked will work for redirecting from safedev.org to forum.safedev.org because the browser would expect an SSL certificate for safedev.org. I found another post that explains how to add multiple SSL certificates so that could potentially work: https://meta.discourse.org/t/setting-up-let-s-encrypt-with-multiple-domains/56685

I don't have the time to try this right now since I'm leaving for San Francisco tomorrow. But I should be able to do it when I get back home later next week