I had a user report and can replicate this easily. I appears at least with the combination of Firefox (mobile and desktop) and Cloudflare with guest caching. 

1. Visit site without stored cookies
2. Cookie bar appears
3. Click Accept or Reject
4. Site shows an error (2S119/1) and URL changes to mysite.com/cookies/?do=cookieConsent

I guess it has something to do with the CSFR key being cached and used for multiple users, but I have no idea how to fix this without turning off guest caching altogether. 

It would probably be a question for cloudflare that one. If its caching things we need it not to, they would at least have to not using caching on that URL

We've got an open bug report for this, it will be addressed in a future release.

Any traction on this? Not having guest caching is a huge problem.

This was addressed in 4.7.13

I still see the same behaviour in 4.7.13.

Alright, so I cleared cache + redis cache + cloudflare cache, and it seems to be working now on Edge and Chrome. I haven't tested Firefox.

 

I still see the same behaviour in 4.7.13.

Have you tried the below?

 

Alright, so I cleared cache + redis cache + cloudflare cache, and it seems to be working now on Edge and Chrome. I haven't tested Firefox.

 

Yes. 

My Cloudflare cache rules look like this:

(not http.cookie contains "ips4_member_id" and not http.request.uri contains "journal" and not http.request.uri contains "store" and not http.request.uri contains "weekly/?rss" and not http.request.uri contains "rss/" and not http.request.uri contains "login" and not http.request.uri contains "register" and not http.request.uri contains "admin" and not http.request.uri contains "modcp" and not http.request.uri contains "contact" and not http.cookie contains "ips4_IPSSessionAdmin" and not http.request.uri contains "terms")

 

Unfortunately this can only really be an issue with your cloudflare rules. The issue that was previously present can no longer be replicated

 

Yes. 

My Cloudflare cache rules look like this:

(not http.cookie contains "ips4_member_id" and not http.request.uri contains "journal" and not http.request.uri contains "store" and not http.request.uri contains "weekly/?rss" and not http.request.uri contains "rss/" and not http.request.uri contains "login" and not http.request.uri contains "register" and not http.request.uri contains "admin" and not http.request.uri contains "modcp" and not http.request.uri contains "contact" and not http.cookie contains "ips4_IPSSessionAdmin" and not http.request.uri contains "terms")

 

Here's mine for reference:

(not http.cookie contains "ips4_member_id" and not http.request.uri contains "login" and not http.request.uri contains "register" and not http.request.uri contains "app" and not http.request.uri contains "contact" and not http.cookie contains "ips4_IPSSessionAdmin" and not http.request.uri contains "terms")

Edited September 20, 20231 yr by Daddy

It would be worth checking that the 'guestTermsBar' template isn't modified in your theme. We changed the buttons into a form, so it sends a POST when either are clicked. It works in exactly the same way as any other form does for guests, fetches the appropriate CSRF key on submission.

Those templates are fine. I can change the cache rules to exclude all /index.php URLs. That saves the cookies.

 

But I actually found another issue that happens independent of the browser and Cloudflare: When the cookies are accepted on the homepage, it doesn’t forward to the original page but stays at an empty page. I tested it on all my sites and it consistently happens on the ones who have the Discover Feeds as the homepage. 

The browser URL looks like this and stays on this page:

…index.php?app=core&module=system&controller=cookies&do=cookieConsentToggle&ref=aHR0cHM6Ly9zaW5nLnNhbG9u&csrfKey=1303e7ac90e8001c72…

It doesn’t happen on my sites that have the Forums or Pages as the homepage. It also doesn’t happen for a specific subfeed like /discover/6, but only if I am on /. You can test this easily on my sites with the .guru and .salon domains. I keep Cloudlare page rules off for the time being.