2

For advertising consent management we're looking at starting to use Google Funding Choices, but have found that the Funding Choices tag results in a weird cookie named "FCCDCF" being handed to the browser (on a test instance of our site - this hasn't gone live yet). The cookie data is somewhat odd too, possibly malformed: ["AKsRol-_Joh_37zZXODIWUr6g9_v3puYlD6kBYC50uYqE-PvJ2hCRtV9GY9Zbx4u1bqRt-Z5u2FjQYF209zdntY0tJfDYlxi9WEjlTgf-o3B2Cc0xt-gYmh0G7zv3Ra7uJDxyz5-tN8tUXNCNef1cgm15_iL6dkS1A=="],null,["[[],[],[],[],null,null,true]",1597688653715]]

This cookie is causing some other (live) sites of ours to fail with 500 errors. I'm thinking that because of the embedded quotes and other nonalphanumeric symbols it's screwing up some cookie-reading code. I have found virtually nothing about this issue online and nothing in the Funding Choices API docs. The closest thing to a mention of it is some cookie tracking sites that list it in ways that suggest it's spammy/scammy.

What's going on here? Anybody else using Google Ad Manager and Funding Choices and seeing this? I could add some code to delete it, but I'm wondering if it is something Funding Choices is expecting to see. But if so why is it so problematic to other code? Seems like a big fail on Google's part.

steev
  • 916
  • 10
  • 24

3 Answers3

2

It is the response to consent or funding choices, and contains the choices with vendors choices for TCF v2.

What I have found is that the second base64 value contains TCF v2 consent string. https://iabeurope.eu/tcf-2-0/

Your particular cookie seems to only contain the google part, but there is a TCF v2 part after the unixtime, this can be decoded using: https://www.consentstringdecoder.com/

frantic.illusion
  • 21
  • 1
  • So, what exact substring (from the question's cookie string) should I paste into consentstringdecoder.com? I keep getting `Error: Unsupported transparency and consent string version` whatever substring I try. Thanks! :-) – Nicolas Raoul Aug 18 '20 at 08:28
  • After the unixtime there is an base64 value. > null,null,true]",1597688653715],[BASE64.... this whole string should be pasted into tcfv2 .. if you do not have this part it might be because tcfv2 is missing on your funding choices – frantic.illusion Aug 18 '20 at 10:21
  • Thanks, @frantic.illusion, this is somewhat useful, but I'd still like to know why google is issuing malformed, non-standard cookies. (I would guess the reason my TCF string in my example is blank is because i wasnt issued the consent message (because i'm not in EU). But I am using an adblocker, so FC issued the cookie to track my choice there. ) – steev Aug 18 '20 at 18:37
  • The other thing is that using Google's Funding Choices API you can also get the contents of the user's TCFv2 consent choices, as well as other consent choices, etc. https://developers.google.com/funding-choices/fc-api-docs - that's not really the issue of my OP tho. the issue is - why is their cookie breaking my older cookie-reading code? – steev Aug 18 '20 at 18:41
  • Not sure why it breaks your code, but I personally do not find anything malformed or incorrect about it, as cookie content could be more or less anything, and if you "parse" any cookie that is sent in you might have a security issue in your code. The reason i searched for FCCDCF, is because currently the API does not work, and returns 0 Unknown for consent, it works for adblock state though. – frantic.illusion Aug 19 '20 at 09:09
  • The cookie value is a JSON object with unescaped characters that should be escaped. I think what's happening is that this older code i'm dealing with is reading it as plain text and hence mis-parsing the whole Set-Cookie header. I can only guess that it's probably causing similar problems for others. – steev Aug 21 '20 at 16:22
2

When total cookie size of your domain exceeded (apache default size limit 8K), pages can result with 500 error code.

FCCDCF cookie sometimes has a huge value which can cause the issue described above.

I catched a sample value of FCCDCF cookie:

FCCDCF=[null,null,["[[],[],[],[],null,null,true]",1636126891750],["CPOzb9QPOzb9QEsABBENByCoAP_AAH_AACaIH7Nf_T7dbS9C-v59f_skeYxfVni1puQxBheFN2MFyJOQdBQGkmEzNA3oJCQCCBggITbBAQNsHEkACUkhYIlRABFMYAUMLAJIIAAAgGEIeUYYAAAOiIAAcZKZBwCXEFQpnzizBItKShAABADAAAAICAIgAIkBghACEAQABAAAASAQP2Yv-F262l6E8fjSefZI0Ri-rOErRcBiDCMKTsYBEScg6AgNIIJmABtQQEgEEDBAQmwCAgYQAJIAApJCwRKiACCQQAgQUAQQQAABAIIQ8oAwAAAdEQAAoCUyCgAOAIhTClAkCRaUlCAAAAGAAAAQEABAARIDBAAEIAgAAAAAAEAgAA","1~2052.2056.2064.20.2068.2070.2072.2074.2084.39.2088.2090.43.46.2103.55.57.2107.2109.61.66.2115.70.2124.2130.83.2133.2137.89.2140.93.2145.2147.2150.108.2156.117.2166.122.124.2177.131.2179.135.2183.136.2186.143.144.147.149.2202.2205.159.162.167.2216.171.2219.2220.2222.2224.2225.2234.192.196.202.2253.211.2264.218.228.230.2279.2282.239.241.2292.2299.253.2305.259.2309.2312.266.2316.272.2325.2328.2331.2334.286.2335.2336.2337.291.2343.2354.2357.2358.2359.311.317.2366.2370.322.323.2373.326.327.2376.2377.338.2387.2392.2394.2400.2403.2405.358.2407.2411.2414.367.2416.2418.371.2425.2427.385.389.2440.394.397.2447.2453.407.2459.2461.413.2462.415.2468.2472.424.2477.430.2481.2484.436.2486.2488.440.2492.2493.445.2496.2497.449.2498.2499.453.2506.2510.2511.2517.2526.2527.482.2532.2534.486.2535.491.2542.494.495.2544.501.503.2552.505.2555.2559.2563.2564.2567.2568.2569.522.2571.523.2572.2575.2577.2583.2584.540.2589.2595.2596.2597.550.2601.2604.2605.559.2608.2609.2610.2612.2614.568.2621.574.576.2628.2629.584.2633.2634.587.2636.591.2642.2643.2645.2646.2647.2650.2651.2652.2656.2657.2658.2660.2661.2669.2670.2677.2681.2684.2686.2687.2690.2695.2698.2707.2713.2714.2729.2739.2767.2768.2770.2771.2772.733.2784.737.2787.2791.2792.745.2798.2801.2805.2812.2813.2814.2816.2817.2818.2821.2822.2824.2827.780.2830.2831.2832.2834.787.2836.2838.2839.2840.2844.2846.798.2847.2849.2850.802.2851.803.2852.2854.2856.2860.2862.2863.2865.817.2867.820.2869.821.2873.2874.2875.2876.829.2878.2879.2880.2881.2882.2883.2884.2886.2887.839.2888.2889.2891.2893.2894.2895.2897.2898.2900.2901.2908.2909.2911.2912.864.2913.2914.867.2916.2917.2918.2919.2920.2922.874.2923.2924.2927.2929.2930.2931.2935.2939.2940.2941.2942.2947.899.2949.2950.904.2956.2961.2962.2963.2964.2965.2966.2968.2970.922.2973.2974.2975.2979.931.2980.2981.2983.2985.2986.938.2987.2991.2993.2994.2995.2997.2999.3002.3003.3005.3008.3009.3010.3011.3012.3016.3017.3018.3019.3024.3025.979.981.3030.985.3034.3037.3038.3043.3044.3045.3048.1003.3052.3053.3055.3058.3059.3063.3065.3066.3068.3070.1024.3072.3073.3074.1027.3075.3076.3077.3078.1031.1033.1034.1040.3089.3090.3093.1046.3094.3095.3097.1051.3099.3100.1053.3104.3106.3109.3111.3112.1067.3116.3117.3118.3119.3120.3121.3124.3126.3127.3128.3130.1085.3135.3136.1092.1095.1097.3145.1099.3149.3150.3151.3154.1107.3155.3159.3162.3163.3167.3172.3173.1127.3180.1135.3184.3185.3187.3188.3189.3190.1143.3194.3196.1149.3197.1152.1162.1166.1186.1188.1192.1201.1205.1211.1215.1220.1226.1227.1230.1252.1268.1270.1276.1284.1286.1290.1301.1307.1312.1329.1345.1356.1364.1365.1375.1403.1415.1416.1419.1440.1442.1449.1455.1456.1465.1495.1512.1516.1525.1540.1548.1555.1558.1564.1570.1577.1579.1583.1584.1591.1603.1616.1638.1651.1653.1660.1665.1667.1677.1678.1682.1697.1699.1703.1712.1716.1720.1721.1722.1725.1732.1745.1750.1760.1765.1769.1782.1786.1800.1808.1810.1825.1827.1832.1837.1838.1840.1842.1843.1845.1859.1866.1870.1878.1880.1889.1899.1911.1917.1929.1942.1944.1962.1963.1964.1967.1968.1969.1978.2003.2007.2027.2035.2039.2044.2047","26D9B9AF-A3EE-40D4-A11F-E6D63205C325"],null,null,[]]
Umut KIRGÖZ
  • 2,105
  • 3
  • 22
  • 29
0

So, it looks like it's due to a sort of bug in the Apache2::Request perl module. which is part of Apache mod_perl. I would still say it's partly Google's fault for issuing such a monstrosity, but the module should be robust enough to not choke on it... Seems to be an older version of the module that is the latest I can get with the version of Debian i'm using. ugh.

steev
  • 916
  • 10
  • 24
  • 1
    How did you solve the issue, i have same issue on IIS causing application to crash 403 error, i have increase Header size but didnt fix the issue – Reza Aug 14 '23 at 07:58
  • @reza we just switched to a different CMP. – steev Aug 24 '23 at 15:34