How to disable cookies in a generic way till cookies are accepted by user

Question

Is there a fancy way to disable cookies untill the user accepts them?

Following Problem: I have a webshop which uses quite a lot cookies and in order to be GDPR conform we need to "disable" cookies untill the user has accepted them. I do not want to rewrite the whole shop system and therefore I am searching for a generic solution.

My aproach is:

• unset all set-cookie headers sent by our server (via nginx or php)

But there are still some problems:

• how can I prevent external sites from setting cookies without completely removing them (bing, google, fb, ..)
• how can I prevent javascript from setting cookies without modifying all javascript sources (is it possible to override the browser functions so you can't set cookies via JS)

Answer 1

If GDPR compliance is your concern, just removing cookies won't be enough. You need to disable any tracking scripts collecting personally identifiable information (PII).

I recommend moving all tracking scripts to Google Tag Manger, and using the methods outlined by Simo Ahava. Guide 1 and Guide 2. His methods don't work great for tracking tags that aren't Google, but with a custom trigger you can stop anything.

That being said, if you do just want to remove cookies, this should do it.

function deleteCookies() {
    var theCookies = document.cookie.split(';');
    for (var i = 0 ; i < theCookies.length; i++) {
        document.cookie = theCookies[i].split('=')[0] + '=; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
    }
}

Answer 2

For disabling JS-Cookies you may use:

if(!document.__defineGetter__) {
Object.defineProperty(document, 'cookie', {
    get: function(){return ''},
    set: function(){return true},
});
} else {
    document.__defineGetter__("cookie", function() { return '';} );
    document.__defineSetter__("cookie", function() {} );
}