How to disable cookies in a generic way till cookies are accepted by user

block third-party cookies javascript
how to use cookies
how to block cookies before consent
js block cookie
cookies set
gtag disable cookies
download cookie script

Is there a fancy way to disable cookies untill the user accepts them?

Following Problem: I have a webshop which uses quite a lot cookies and in order to be GDPR conform we need to "disable" cookies untill the user has accepted them. I do not want to rewrite the whole shop system and therefore I am searching for a generic solution.

My aproach is:

  • unset all set-cookie headers sent by our server (via nginx or php)

But there are still some problems:

  • how can I prevent external sites from setting cookies without completely removing them (bing, google, fb, ..)
  • how can I prevent javascript from setting cookies without modifying all javascript sources (is it possible to override the browser functions so you can't set cookies via JS)

If GDPR compliance is your concern, just removing cookies won't be enough. You need to disable any tracking scripts collecting personally identifiable information (PII).

I recommend moving all tracking scripts to Google Tag Manger, and using the methods outlined by Simo Ahava. Guide 1 and Guide 2. His methods don't work great for tracking tags that aren't Google, but with a custom trigger you can stop anything.

That being said, if you do just want to remove cookies, this should do it.

function deleteCookies() {
    var theCookies = document.cookie.split(';');
    for (var i = 0 ; i < theCookies.length; i++) {
        document.cookie = theCookies[i].split('=')[0] + '=; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT;';

How to disable cookies before consent accepted, to comply with , Cookies are usually placed by multiple marketing tools. The best way to control them is to use Google Tag Manager. But the tag trigger should be  Disable cookies until user accepts them via javascript. Ask Question Asked 1 year, How to disable cookies in a generic way till cookies are accepted by user. 1.

For disabling JS-Cookies you may use:

if(!document.__defineGetter__) {
Object.defineProperty(document, 'cookie', {
    get: function(){return ''},
    set: function(){return true},
} else {
    document.__defineGetter__("cookie", function() { return '';} );
    document.__defineSetter__("cookie", function() {} );

Clear, enable and manage cookies in Chrome - Computer, You can choose to delete existing cookies, allow or block all cookies and set preferences for certain websites. What cookies are. Cookies are files created by  After May 25, 2018, many websites already output cookie consent windows, but only a few (less than 20%) honestly disable cookies before consent is given. If you open a website in "incognito mode" and see a cookie consent popup, in 90% of cases you will also see a bunch of cookies already stored in your browser.

My approach (not entirely an answer to your question, but perhaps an alternative to yoru question) is to tell the users that my site has cookies, and they have to 'deal with it' if they want to continue to use my site. Of course, this may not work for your site.

I put a notice at the top (with code from as a start), which will show on all pages until they accept (explicit consent from them).

You could use a button to delete all cookies, but then you can't use my site until you accept them again. But that protocol will keep me in compliance.

How to Enable Cookies, Check out our guide on how to enable cookies in your browser, no matter the platform. want a more nuanced implementation than an internet-wide cookie acceptance. This setting enables general cookies but blocks cross-site tracking cookies. Use the drop-down menu to select Don't Block Cookies. » How to block cookies until the user accepts, for example Google Analytics cookies? I opted for a more generic way of addressing this, rather than creating a

How to Block Third-Party Cookies in Every Web Browser, Internet cookies have been around since the beginning of the web, such as Facebook or Twitter, cookies let you stay logged until you log might use third-​party cookies that don't constitute a privacy concern. In short, it's nice to have enabled, but it isn't a replacement for disabling third-party cookies. Select the Block option for First-party Cookies and Third-party Cookies to disable cookies, or select the Accept option to enable cookies. Also, uncheck the box for Always allow session cookies to disable session cookies, or check the box to enable session cookies. Click OK on each open window to save the settings change.

How do I enable, disable, view, or delete Internet cookies?, It should be noted that if a user disables cookies, some web pages will not work properly. Cookies are enabled when the toggle switch is blue and disabled In the window that appears, on the General tab, click the Settings button. deselect Never accept cookies or Warn me before accepting cookies. If you’d like per-site cookie controls in Opera without having to dive into the Settings menu, try using the Policy Control extension. This add-on will let you enable or disable more or less all settings, including per-site cookie tracking, by clicking a single button on the menu bar.

Browser Cookies: What Are They & Why Should You Care , Cookies are a necessary part of the way the web works as well as a Session cookies are temporary cookies stored in the browser's memory just until the to use the web and allow your browser to accept cookies, you are being time you close Internet Explorer, go back to the General tab and select the  "It makes you easy to track, but there are plenty other ways to tell one user from another." People who disable cookies to avoid being tracked either do not understand that, or they simply expect that so few people disable (or often delete) cookies that very few websites will bother with the more complicated tracking techniques. – curiousguy

  • How is google, bing, etc. setting cookies on your site?
  • e.g.: adform (an ad-network) is setting cookies via set-cookie header in xhr requests
  • i think bing and google are setting them via javascript
  • JS solution:
  • thanks for your answer. my approach is now to wrap all tracking scripts and add them to a job queue. when the user accepts cookies i execute the jobs in the job queue. but yes... i also thought of GTM, but the problem in my case was, that the php module is rendering the javascript (setting product id, quantity, ...) and therefore i would have to move that logic to javascript
  • Nice. But any idea how to enable them again after this?
  • you may store the original getter and setter functions in a variable and when enable them again you could set the getters and setters to the original functions, or you simply reload the page and do not override the functions again
  • I tried to make it work with the variables, but somehow it did't want to. So I used the latter solution. Thanks!
  • yes thats our current solution before GDPR. But this solution is not entirely GDPR conform because you store cookies BEFORE the user accepts them, even if the user does not realize this because you delete the cookies afterwards
  • The code used in the reference site displays the 'OK' button, but does not store the cookie until visitor clicks 'ok'. And will continue to display the GDPR message until visitor clicks 'ok'. So the code is GDPR-compliant (IMHO), unless you are storing other cookies in your pages.
  • ah ok... i thought you are storing the cookies at the beginning and if he declines them you delete them