An Important Update

Dear Followers Of This Blog ...

If you did not use a Blogger / Google account when you Followed this blog, years ago, you are probably not Following now . During the past...

Monday, November 03, 2014

The Google "One account" Login, And Cookie Filters

Thanks to the recently added Google "One account" login, all Blogger features are now vulnerable to "third party" cookie filters.

Long ago, many people who used Blogger would login to Blogger using a link in the navbar - or a similar Blogger login wizard.
http://www.blogger.com
Now, that login redirects to the Google "One account" login.
http://www.google.com
When referenced from a Blogger login, the latter URL becomes magnificently complex.
https://accounts.google.com/ServiceLogin?service=blogger&passive=1209600&continue=https://www.blogger.com/home&followup=https://www.blogger.com/home<mpl=start

Long ago, people who logged in to Blogger, using the Blogger login, had no need to worry about "third party" cookies and filters.

When blog owners logged in under Blogger, the dashboard worked transparently.

Everybody could use the Blogger dashboard and some Blogger features, such as full page and popup window comments, without any problems. A login cookie, created under "blogger.com", could be read under most Blogger features - such as a full page or popup window comment form, or the various Blogger dashboard components - without any thought to any "third party" cookie filters.

Not everybody understood the difference between the dashboard and blog features.

The lack of worry about "third party" cookie filters, with Blogger login, did cause some dissent. People able to use the Blogger dashboard in general, became rather skeptical, when told to allow "third party" cookies, to enable the Stats "Don't track ..." option, or maybe the embedded comment form - or various other Blogger features.

Some blog owners, when advised to change form placement, because of reader problems when publishing comments, might object because the full page or popup window form lacked features - but not all. A few objected, simply because they did not believe that cookie filters could be so capricious.

Some blog owners attributed the differences to poor design.

Occasionally, some owners would ask why the embedded comment form would be designed so negligently, to require third party cookies - as if Blogger intentionally designed their features, to make it difficult to use their service. At one time, the embedded form was re written, to use "blogger.com" content, embedded in an iframe - possibly to allow the CAPTCHA form, for embedded comments, to avoid the nefarious "third party" cookie filters.

With Google "One account", Blogger and Google, instantaneously, has made the entire Blogger service require enabling of "third party" cookies. If a login cookie is created under "google.com", it will need to be read under "blogger.com" (the Blogger dashboard utilities), "blogspot.com" (Blogger blogs, published natively), any country code aliases that might apply, and any Blogger blogs, published to custom domains.

There is no more confusion about "third party" cookie filtering, because some features may work, and other features, mysteriously, don't work. Now, all of Blogger (GMail, Picasa, YouTube, ...) will require "third party" cookies to be permitted, if a login cookie is to be consistently accessible - and all services are to work, reliably.

All problems are not caused by cookie filtering - and this expands the confusion.

Yet, "third party" cookie filters alone, do not explain all Blogger feature problems, that do involve cookies, in some way. Both the recently explored comment wizard CAPTCHA form, the interstitial warning displays, and the Reading List disappearances - all have other, complementary, issues.

Cookie filtering is just one detail, in the Blogger infrastructure - though when problems are seen, one should check and correct the filters.

Hopefully, as the need for third party cookies becomes more uniform in Blogger, everybody using Blogger can become objective enough, and stop inappropriate filtering. With third party cookie filters less critical an issue, maybe Blogger Engineers can identify the problems that they can, and should, solve.

Dude, hit me with a comment!

Angelina Lenahan said...

thanks again for such awesome information.

scrappystickyinkymess said...

I would love just a copy and paste line that would allow me to block the cookie that triggers word verification rather than number verification. Every week for YEARS I've taken part in a weekly blog hop, where probably 90% of the participants are on Blogger. Over the last month or so this whole word verification thing has cropped up and made it impossible for me to comment using my Wordpress identity. Oh sure, if I log in to Google I only have to do the number verification but I don't WANT to stay logged in to Google.

Weirdly, yesterday I had number verification (which I am able to actually read) but at some point it switched to Word verification (which I can't read without 3 or 4 attempts) - my theory is that either I made an error in typing the number and that triggered a switch to word verification OR because I was commenting on lots of blogs (and this hop has about 100 participants) that triggered the switch. In either case it would seem that blocking the cookie that tells Blogger I have made multiple comments OR made a mistake when typing the number would solve the problem. However, I am not able to create the right link that blocks the cookie in Chrome - another Google product and one I wouldn't use if Camino and the version of Safari I need hadn't become unsupported and Firefox wasn't such a hog.

I see you answering many questions regarding this issue on the forums so I am going to give it a go and ask if you have a solution. Is there a way to block the cookie, if in fact it is a cookie that is causing the problem?

Do feel free to not post the comment, and if my email appears (which it should, I think) to you then just LMK either it's hopeless or there is a solution :)

cheers

Mary Anne

Chuck Croll said...

Congrats, Mary Anne,

I just got OpenID authentication for comments working, on this blog, this week - and I think that you are the first person to comment (other than various tests).

There is no cookie that triggers "word" verification rather than "number" verification. The "word" verification CAPTCHA is the non optional CAPTCHA, that is triggered when you try to comment, and the Google login cookie can't be read by the Commenting script (or is not present, with people who do not want to stay logged in to Google).

If you don't want to stay logged in to Google, then you login using OpenID, each time that you hop to a new blog.

You see the "number" verification on blogs where the owner has enabled CAPTCHA screening. On these blogs, every visitor has to solve the "number" CAPTCHA - even those who want to stay logged in to Google.

One of the benefits of the new, non optional ("currently "word" verification) CAPTCHA is that it should enable people, who want to stay logged in to Blogger / Google, to avoid having to solve a CAPTCHA. If designed properly, the CAPTCHA should not even show up, for such people.

People who use OpenID - and who do not want to stay logged in to Google - will still see a CAPTCHA, because OpenID does not provide a cookie that can identify the reader as authenticated.

If the Commenting form was better designed, however, both people using OpenID, and people able to login to Google, should see a caption or button indicating "If you don't want to solve the CAPTCHA - but you can use Google or OpenID authentication, sign in here!".

I have not yet started to explore the possibilities of using OpenID, beyond making it work on this blog. And with your comment, I can now move forward with that project. So thank you, for your comment!

Chuck Croll said...

Angelina,

Here, I will thank you, for inspiring such awesome information.

Elizabeth said...

So...does this mean we can't get rid of the comment verification?

I don't understand all of this. :)

Chuck Croll said...

Elizabeth,

I don't think the comment verification will go away, no. However, the change that was made sometime yesterday, which is causing all of the complaints today, can maybe be corrected.

Of course, the effectiveness of any correction, by Blogger, is subject to everybody correctly maintaining their cookie filters.

http://blogging.nitecruzr.net/2014/11/the-captcha-for-anonymous-comments-isnt.html

Tech Planet said...

thanks