Joomla and the GDPR - Cookies and external data sources

: 2018-05-22; Andre Hotzler; Technology; Also available:; 29782

Article content:

Joomla and the DSGVO/GDPR - currently a hotly discussed topic, where many website operators ask themselves: Which cookies are set and which external data sources do I use?

This article explains how to find out which cookies and external data sources your website uses.

You don't use Joomla yet? No problem - the techniques described apply to all websites.

Joomla-Standard-Cookies

In the default configuration Joomla (here in version 3.8.7) sets a cookie - it is a session cookie.

How do I view the cookies?

In the browser "Chrome" you click on the field directly in front of the URL, in the window that opens, you can click directly on "Cookies" and you get a list of cookies.

In Firefox the whole thing is a bit more complicated: You click with the right mouse button into the web page, then in the following popup menu on "Show page information". A window opens, in the tabs of which you change to "Security" and then click on the button "Show Cookies".

What's the point of this session cookie?

The session cookie assigns the viewer - or rather his browser session - a unique - randomly generated - value
Joomla can assign the following information to this value:
- Language - for multilingual websites (more details below)
- Login status - by logging in to edit the website, for example, or to read content that is only accessible after logging in
Joomla also uses the cookie to allow the contact form to be sent only if a session cookie is available. Spam bots that automatically send spam often do not process cookies and therefore cannot send the contact form.

Joomla!-Kontaktformular - Prüfung des Session-Cookie

cookie validity

The session cookie remains valid until the end of the session (closing all browser windows), sometimes referred to as "transient cookies". Cookies that have a longer validity - and remain stored even after closing the browser - are called "permanent cookies". There are big differences in the storage time, the cookie can be stored for a week, or even years.

Login-Status?

If the user is not logged in, no further data is assigned to the cookie. If you log in, the cookie is assigned to the user.

The following figure shows 2 sessions:

Session of an observer, this is anonymous
Session of a logged in user, userid and username have been assigned to this user.
Joomla - and many other modern website systems work like this.

Does Joomla track website visitors?

Tracking is not done with the Joomla! core and the default settings, even for logged in users the cookie is only used for functions described above. Since the cookie is also not linked to the IP address of the page visitor and no further recordings are made, the cookie cannot be used to determine what a page visitor is doing there.

In order to "track" a page visitor, further aids and measures would be necessary.

Multilingualism in Joomla

For multilingual websites Joomla uses cookies to store the language.

First you will ask yourself: Why does Joomla! store the page language in a cookie?
Very simple: You can use language-neutral URLs in Joomla, from which the language setting does not come out. A prominent example is the start page, www.meinejoomlaseite123.de/blog would be another example.

In the default settings Joomla will try to show the language which is set as default in the browser. A German-speaking visitor sitting at an English-speaking computer/browser will probably set the page language to - if offered - German.

The cookie then ensures that the content of language-neutral URLs is displayed in the desired language.

By default, the session cookie is used, but you can also instruct Joomla! to set a cookie with a longer validity.

Einstellung das Cookie-Gültigkeits-Dauer für das Speichern der Seitensprache in Joomla!

Setting the cookie validity period for saving the page language in Joomla!

In this case, another cookie is generated in which only the language is stored.

Separates Cookie für die Speicherung der Seitensprache in Joomla!

Other Cookies

Further cookies can be set by extensions, templates or external data sources, which must be checked for each website in each individual case. Particular attention should be paid to the fact that certain sub-pages that call plugins or integrate external data sources may set additional cookies.

In the following example the plugin "Kickgdpr" has displayed a cookie hint. After the user has accepted the hint and clicked on the "Understand" button, the plugin saves the consent in the cookie "cookieconsent_status".

Without this cookie, the plugin would not know that the site visitor has already agreed - and would display the cookie hint again and again.

Vor der Zustimmung zur Datenschutzerklärung ist nur der Joomla-Standard-Cookie gesetzt

If the page visitor clicks on "Understand" at the top of the banner, this is stored in a cookie:

Zustimmung zur Datenschutzerklärung wird in Cookie gespeichert

external data sources in Joomla!

What is meant by data sources?

When a web page is loaded, other files are loaded in addition to the web page document, for example:

Images and graphics
typefaces
javascript files
CSS files
Maps (for example Google Maps)
Tracking (for example Google Analytics or Matomo/Piwik)

These files can be under the domain of the website, or can be downloaded from other websites, in the latter case I am talking about external data sources.

Often used external data sources are:

Tracking software, such as Google Analytics or Matomo/Piwik
Provision of functions, for example Javascript/CSS extensions, such as jQuery or Bootstrap, via Content Delivery Networks (CDN), such as Cloudflare or Akamai
Provision of fonts, for example Google Fonts
Providing maps, for example Google Maps
Providing booking functions, for example for hotels, doctors or hairdressers
Provision of advertising
Providing weather, traffic
Even: Provision of cookie approval banners

All these external data sources load data from external servers not located under the own domain. Here the IP address is transmitted to these external servers.

Please note that the origin of a data source (external or internal) says nothing about admissibility, declaration or approval obligation. As a rule, however, an external data source is not subject to your control and deserves your attention, among other things, because of the passing on of data. Technically speaking, external data sources also create unnecessary dependencies, because if the external data source is not available, your website may not function properly.

Whether external data sources are used in your website depends not only on the planned integration of other factors. The Joomla! core does not use any external data sources, but the standard "Protostar" template supplied with it does. Extensions can also include external data sources, sometimes you can even configure this, for example in the plugin "Kickgdpr:

im Plugin "kickgdpr" kann man die Datenquelle einstellen

How do I recognize external data sources?

The widely used browsers Firefox and Chrome provide "developer tools" that allow easy analysis.

Press the "F12" or "Ctrl-Shift-I" function key to open the developer tools in both browsers; data sources are displayed under the "Network..." tab. Here the page should be reloaded and the display filter should be set to "All".

Then, in the column "Domain" (Chrome) or "Host" (Firefox) - which sometimes has to be added first - you search for domains that do not correspond to the domain of the website, as shown in the following pictures as an example.

In the following example, Google Fonts are used as external data sources:

Externe Datenquellen in Chrome - hier mit externen Datenquellen

In this example with Firefox, no external data sources are used:

What about Google Analytics, Matomo/Piwki, Facebook, Twitter plugins

Often one reads in the data protection declarations, the page uses e.g. Facebook Plugins. What is such a plugin - and how do I find out if it is used?

In these cases, a plugin is code that is integrated into the website - and then loads data from an external data source, for example Google or Facebook. Without this reload, the display of "121 Facebook users like this post" would not be possible, since the number of Facebook users in this example somehow has to be determined - why the website has to communicate with Facebook and reload the data from there.

Take a look at this sample code for a Facebook plugin here.

A simple link to a URL on Facebook is not a plugin. However, plugins and links are often mixed up, and many webmasters don't know that you/they can download official Facebook, Twitter, etc. logos and integrate them directly into the website as local (internally) saved graphic files and link them accordingly.

Also, the lack of a visible data source for tracking tools such as Matomo/Piwiki does not mean that log files are not evaluated in the background at web server level.

in conclusion

Whether you need to make changes to the website, whether you need to document certain facts, whether you need permission to do so - and so on and so forth... the article cannot make a statement on this, but experience has shown that lawyers and data protectionists ask exactly these questions in order to then draw up a suitable data protection declaration and/or request changes.

With the methods described here I have hopefully enabled you to answer the question mentioned above: "Which cookies are set and which external data sources do I (or my website) use?"

Translated with www.DeepL.com/Translator

: Last Updated: 2019-05-27

: joomla; cookie; cookies; dsgvo; gdpr