A lot of you are probably aware of the new EU privacy law, but for those who are not, it basically means no site operated by a company resident in the EU can set cookies classed as 'non-essential to the operation of the website' on a visitors machine unless given express permission to do so.

So, the question becomes how to best deal with this?

Browsers obviously have the ability to block cookies from a specific website built in to them. My question is, is there a way of doing something similar using JS or PHP?

i.e. intercept any cookies that might be trying to be set (including 3rd party cookies like Analytics, or Facebook), and block them unless the user has given consent.

It's obviously possible to delete all cookies once they have been set, but although this amounts to the same thing as not allowing them to be set in the first place, I'm guessing that it's not good enough in this case because it doesn't adhere to the letter of the law.

Ideas?

I'm pretty interested in this answer too. I've accomplished what I need to accomplish in PHP, but the JavaScript component still eludes me.

Here's how I'm doing it in PHP:

$dirty = false;
foreach(headers_list() as $header) {
    if($dirty) continue; // I already know it needs to be cleaned
    if(preg_match('/Set-Cookie/',$header)) $dirty = true;
}
if($dirty) {
    $phpversion = explode('.',phpversion());
    if($phpversion[1] >= 3) {
        header_remove('Set-Cookie'); // php 5.3
    } else {
        header('Set-Cookie:'); // php 5.2
    }        
}

Then I have some additional code that turns this off when the user accepts cookies.

The problem is that there are third party plugins being used in my site that manipulate cookies via javascript and short of scanning through them to determine which ones access document.cookie - they can still set cookies.

It would be convenient if they all used the same framework, so I might be able to override a setCookie function - but they don't.

It would be nice if I could just delete or disable document.cookie so it becomes inaccessible...

EDIT: It is possible to prevent javascript access to get or set cookies.

document.__defineGetter__("cookie", function() { return '';} );
document.__defineSetter__("cookie", function() {} );

EDIT 2: For this to work in IE:

if(!document.__defineGetter__) {
    Object.defineProperty(document, 'cookie', {
        get: function(){return ''},
        set: function(){return true},
    });
} else {
    document.__defineGetter__("cookie", function() { return '';} );
    document.__defineSetter__("cookie", function() {} );
}

I adapted Michaels codes from here to come up with this.

Basically it uses the defineGetter and defineSetter methods to set all the cookies on the page and then remove the user specified ones, this role could of course also be reversed if this is what you are aiming for.

I have tested this with third party cookies such as Google Analytics and it appears to work well (excluding the __utmb cookie means I am no longer picked up in Google Analytics), maybe you could use this and adapt it to your specific needs.

I've included the part about if a cookies name is not __utmb for your reference, although you could easily take these values from an array and loop through these that way.

Basically this function will include all cookies except those specified in the part that states if( cookie_name.trim() != '__utmb' ) { all_cookies = all_cookies + cookies[i] + ";"; }

You could add to this using OR or AND filters or pull from an array, database, user input or whatever you like to exclude specific ones (useful for determining between essential and non-essential cookies).

function deleteSpecificCookies() {

var cookies = document.cookie.split(";");
var all_cookies = '';

    for (var i = 0; i < cookies.length; i++) {

        var cookie_name  = cookies[i].split("=")[0];
        var cookie_value = cookies[i].split("=")[1];

        if( cookie_name.trim() != '__utmb' ) { all_cookies = all_cookies + cookies[i] + ";"; }


    }

if(!document.__defineGetter__) {

    Object.defineProperty(document, 'cookie', {
        get: function(){return all_cookies; },
        set: function(){return true},
    });

} else {

    document.__defineGetter__("cookie", function() { return all_cookies; } );
    document.__defineSetter__("cookie", function() { return true; } );

}

}

You can not disable it completely but you can override the default setting with .htaccess

Try

 SetEnv session.use_cookies='0';

If it is optional for some users don't use .htaccess

if(!$isAuth)
{
    ini_set('session.use_cookies', '0');
}

A little bit old but I think you deserve a answer that works:

Step 1: Don't execute the third party script code.

Step 2: Show the cookie banner.

Step 3: Wait until user accepts, now you can execute the third party script code..

Worked for me.

How about not paying attention to hoaxes?

Aside from the fact that this is old news, the text clearly says that it only applies to cookies that are not essential to the site's function. Meaning session cookies, a shopping basket, or anything that is directly related to making the site work is perfectly fine. Anything else (tracking, stats, etc.) are "not allowed" without permission.