EU privacy cookie directive

General project discussion. NOT for help questions.
essexboyracer
Forum Members
Forum Members
Posts: 85
Joined: Wed Jun 20, 2007 5:40 pm

EU privacy cookie directive

Post by essexboyracer »

Hi All,

Is it at all possible to prevent CMSMS using a session cookie so that the script may be compliant with the new UK cookie laws?

Perhaps a flag in the config file to allow us to switch on/off the session cookie (I dont mean the backend one)

http://www.ico.gov.uk/news/blog/2011/ha ... iance.aspx
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: EU privacy cookie directive

Post by Rolf »

Only the backend of cmsms uses session (cookies).
The frontend is not. Add-on modules might, but the core isn't.

grtz. Rolf
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Mieszko
Forum Members
Forum Members
Posts: 59
Joined: Fri Mar 04, 2011 2:40 pm

Re: EU privacy cookie directive

Post by Mieszko »

It does...
at least I have a cookie like so: CMSSESSID15bbf057.....
Recent version of CMSms, standard installation without any additional modules.
essexboyracer
Forum Members
Forum Members
Posts: 85
Joined: Wed Jun 20, 2007 5:40 pm

Re: EU privacy cookie directive

Post by essexboyracer »

Its not from the backend. Go to http://www.cmsmadesimple.org/ and delete all your cookies related to that page (Firefox > Tools > Page Info > Security > View Cookies).

Refresh the page

You'll most likely see 5 cookies, 1 called CMSSESSID<number> and 4 for GA.

As I dont have access to the cmsmadesimple.org backend, why would CMSMS be placing a cookie called CMSSESSID unless of course there is a module doing this? Try it out on a clean install of CMSMS and see what happens. Try going to http://www.opensourcecms.com and doing the same on the CMSMS demo

Regardless of whether this is a session based or permanent cookie, it still requires consent, hence the question.

You know what, I might be wrong, but I don't know as my coding skills aren't great and I didn't code CMSMS. If I am wrong then I will hold my hand up, apologise to everyone and get on with it.

What I do know is that CMSSESSID shows up when viewing cookies in Firefox and new UK law requires website owners to obtain consent to place cookies on a users terminal.
Mieszko
Forum Members
Forum Members
Posts: 59
Joined: Fri Mar 04, 2011 2:40 pm

Re: EU privacy cookie directive

Post by Mieszko »

@Dr.CSS
sorry to disagree.

I clear all the cookies in Firefox.
I then open a frontend page.
The cookie is set again.

Cookies are activated in /include.php as far as I understand.
staartmees
Power Poster
Power Poster
Posts: 1049
Joined: Wed Mar 19, 2008 4:54 pm

Re: EU privacy cookie directive

Post by staartmees »

Did you read the updated version of the advice? http://www.ico.gov.uk/news/blog/2011/~/ ... tions.ashx

session cookies aren't a problem, they even advice to use session cookies
ou should also consider whether users who might make a one-off visit to your site would have a persistent cookie set on their device. If this is the case, you could mitigate any risk that they would object to this by shortening the lifespan of these cookies or, where possible given the purpose for using them, making them session cookies.
also read on page 8, Exceptions from the requirement to provide information and obtain consent, and on page 10, Activities likely to fall within the exception .
User avatar
Rolf
Dev Team Member
Dev Team Member
Posts: 7825
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands
Contact:

Re: EU privacy cookie directive

Post by Rolf »

I asked Calguy1000: core CMSMS does use session cookies in the frontend! I was wrong here, didn't know that...

But before this was implemented CG did some extensive research in this EU law. He found the quote from Staartmees above and some other pages on this subject.
There is absolutely nothing wrong with the use of session cookies, particularly when that session cookie only contains a single string that does not contain any personal information.
So CMSMS is completly legal to use in the EU.

Hope this answers your question.

Rolf
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
Image
Mieszko
Forum Members
Forum Members
Posts: 59
Joined: Fri Mar 04, 2011 2:40 pm

Re: EU privacy cookie directive

Post by Mieszko »

@Rolf
Thank you.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: EU privacy cookie directive

Post by calguy1000 »

actually, this is slightly incorrect. CMSMS has ALWAYS used session cookies. And we have no plans to change the behavior.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
User avatar
Dr.CSS
Moderator
Moderator
Posts: 12709
Joined: Thu Mar 09, 2006 5:32 am
Location: Arizona

Re: EU privacy cookie directive

Post by Dr.CSS »

I was wrong, I apologize...
User avatar
zestmark
Forum Members
Forum Members
Posts: 10
Joined: Thu May 21, 2009 1:39 pm

Re: EU privacy cookie directive

Post by zestmark »

According to the ICO, regardless of what the cookie is, we will need to tell people what cookie is being run and what the use of it is. My question is, exactly what does the session cookie do as we will need to add this to our Privacy Policy to all exisiting CMSMS websites?

Thanks

Mark
Jonny
Forum Members
Forum Members
Posts: 77
Joined: Sun Sep 24, 2006 10:49 am

Re: EU privacy cookie directive

Post by Jonny »

Rolf wrote:There is absolutely nothing wrong with the use of session cookies, particularly when that session cookie only contains a single string that does not contain any personal information.
So CMSMS is completly legal to use in the EU.
The question is not whether the setting of certain cookies makes CMSMS "legal" or not, and the above could be misunderstood as meaning that no action need be taken in order to comply with the new law.

The following extract from the guidance document clearly states that the Regulations apply to to both session and persistant cookies, compliance requires seeking the visitors permission to set the session cookie.
Session and persistent cookies
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies
So, can the session cookie be removed from the front end?

If not, any suggestions for how to implement an opt-in for CMSMS sites?
Jonny
Forum Members
Forum Members
Posts: 77
Joined: Sun Sep 24, 2006 10:49 am

Re: EU privacy cookie directive

Post by Jonny »

Thanks for your reply, winkelman.

Can you tell me how to configure CMSMS to prevent the cookie from being set?

EDIT: as you've since deleted your post, I guess not.
stevegos

Re: EU privacy cookie directive

Post by stevegos »

I too would like to know how to implement some form of cookie consent system for cmsms.

The info I have read says that all cookies must require consent. But then says session cookies that do not contain personal data and are removed when the browser closes may be exempt. So it seems to contradict.

If we do need consent for ALL cookies, then this needs addressing pretty quick otherwise the cmsms base in the EU is going to look elsewhere (and when at the Geekmoot a few weeks ago, the EU countries is where the largest user base is!)
Jonny
Forum Members
Forum Members
Posts: 77
Joined: Sun Sep 24, 2006 10:49 am

Re: EU privacy cookie directive

Post by Jonny »

Realistically, if any legal action is taken it will be preceded by a request for a statement of intent i.e. what action the offender intends to take in order to comply, and the time scale. Therefore, as immediate penalties are not threatened, the vast majority of sites will probably do nothing until it becomes imperative.

But that does not mean we should do nothing.

Short of complete compliance, a sensible course of action is to:

1. Audit the cookies on your sites and provide details of their purpose and behaviour in your Privacy Policy information page.

2. Make links to Privacy Policies more prominent i.e. at the top of the page.

3. Include mention of cookies in link, either a direct link to the information or add to Privacy link e.g. "Privacy and Cookies".

Even so, I'd still be interested in how to prevent the CMSMS session cookie being set.

And, has been requested above, can we please have an explanation of what the CMSSESSID session cookie does. It doesn't appear to be necessary for back-end use.
Post Reply

Return to “General Discussion”