CMS Made Simple Forums

And, has been requested above, can we please have an explanation of what the CMSSESSID session cookie does. It doesn't appear to be necessary for back-end use.

A session cookie is just that: a cookie that is valid only for the user session. They are stored in a temporary location on the users browser and deleted when the browser is closed.

CMSMS (and many php based applications) uses a session cookie to contain the unique session identifier. Ours happens to be named CMSSESSIDxxxxxxxx where the number assigned is generated by some md5 stuff.

The value of the cookie (known as the session id) is generated upon the first visit of a user to a web page (first visit since they last opened their browser), and sent as a cookie to the client. That cookie is then re-transmitted back to the server on each subsequent request. That cookie contains only a simple randomly generated, unique string. There is no personal information of any sort stored in this cookie or transmitted over the ether.

The session id allows the server to store data relevant to the user (i.e: which month of the CGCalendar he is viewing, or the items in his cart, his login informtion etc.). and to retrieve it back thereby bypassing some of the stateless properties of HTTP. We call this 'storing data in the session' or 'session data'.

Session data is automatically removed from the server after it has reached a period of inactivity (this is a php configuration variable). I.e: if the user browses away from your site, closes the window etc.. the session data is cleared up after a while.

The CMSMS Admin section uses the session (as well as other cookies) in numerous places and to store and retrieve lots of different stateful data.

The frontend of the core does not use the session in any way (yet). However numerous important third party modules require sessions to be available, and assume that the session has already been 'setup' and is ready to use.

Some (not all) of the modules that require an active, and correctly configured session in order to behave properly on the frontend
Captcha
FrontEndUsers
CGFeedback
Cart
Orders
CGEcommerceBase
PaypalGateway
Some of the modules that will not work properly without a correctly setup frontend session:
CGCalendar
CGSmartImage
CGSimpleSmarty
I have not checked every single module, nor do I intend to. I just did some simple searches through some of the modules that I had available on one of my hosts.

Therefore: Having a properly configured session on each request is important to CMSMS sites. I would also hazard a guess to say 'necessary' to a majority of them.

Thanks for your comprehensive explanation Calguy.

Can you foresee any circumstances in which an opt-in function for cookies would be considered important for inclusion within the CMSMS core or as an extension? If evidence of legal proceedings begin to emerge, for example?

At this point we have no plans to change the way session cookies are used in CMSMS. for a number of reasons:

a: The definitions and guides wrt session cookies such as this seem to be 'in flux'. Even the ICO guidance has changed at least once since our initial reading.

b: Numerous people in the dev team (those who reside in the EU) are not worried about it. Including some that have consulted their lawyers and say that at this time there is nothing to worry about.

c: It would take quite a bi of work to properly disable the session cookie, but to have it start automatically when required (i.e: when logging in to the admin).

d: Disabling the session cookie would instantaneously break numerous modules. Module developers would then get numerous (and repeated) bug reports about module breakages due to no fault of their own. This is not fair to module developers, and personally I am not prepared to do that.

I live in the Netherlands, so *IN* the EU.
Looked several times for Dutch web articles about this issue, but I have to say I couldn't find a real clear story about this. Most websites tell different things and all these websites were weblogs of good willing people or news sites, not any Government/Legal sites. But what they all have in common, it is about marketing and advertisement cookies. Not anonymous cookies used for the only purpose of letting a website "work".

Just now, I did another internet search and I found a Dutch "law proposal".
It is refering to the Dutch "Law of the Protection of Personal Data", the whole 2 pages PDF is talking about storing personal tracking data in cookies. Quote: "«third party» cookies used for «behavioral advertising»" In that case a visitor should give his or her explicit permission.

But for the use of cookies to let the website work properly is says (Mostly Google translate, so I hope I get the right scope of the story!!)
"When using websites, services and applications store data on the peripherals of the user or read data from the peripheral and these data can be used to the website or service to function properly. It separates paragraph 3 out for such a functionality of the consent requirement of paragraph 1 under
b. For other functionality, too Examples include so-called first party cookies that are used to the user or subscriber to recognize repeat visits to a website, it is usual consent requirement sufficient."

The law-proposal is also talking about "collecting personal data", a session cooky used for the letting a website work doesn't do that!

As far as I understand all the legal stuff (I am not a lawyer and don't own a business), I am not that worried about the first party, non-personal session cookies CMSMS (modules) uses...

The article I am refering to - in Dutch - http://www.webanalisten.nl/wp-content/u ... ookies.pdf

Hope this helps, Rolf

Here in the UK after the 31st May there will be up to £500,000 fine if you are found to have a web site that does not comply with the EU Cookie Directive. I think its unlikely to happen to many, but I don't want it to happen to my customers or be liable to my customers if there is a problem.

All the other leading CMS's already have add on modules to deal with this. Wordpress, Drupal, Joomla etc have all dealt with this.

I think we need a module that creates a small popup which states something like the following:

This web site uses Cookies to function correctly (LINK: What is a Cookie?). No personally identifiable information is stored. Please click ACCEPT to proceed normally or REFUSE to continue on with limited functionality.

Just an idea, but this is what I've seen on other web sites. I don't have the knowledge or ability to create a module.

The fact that other CMS's have (third party) add-on modules which add this warning message, will imho not say anything about the real need of this module.

Are the project websites of the other CMS's using these modules?
Are the website of our EU governments using these kind of modules?

Check i.e. http://www.number10.gov.uk
And visit this website http://europa.eu/ when selecting a language there is a cookie set and no warning... It is the website of the people that makes this cookie law, isn't it?

But please people, do you have legal proof CMSMS *really* needs this kind of feature, sent us this information! We will study it closely and if necessary take arrangements!

Let's stop this discussion until we have all the facts on the table!!

Rolf

Just a nice addition to my previous post

HTTP://EUROPA.EU

About this website
http://europa.eu/abouteuropa/index_en.htm

Europa.eu is the official website of the European Union.

Legal notices
http://europa.eu/geninfo/legal_notices_en.htm

Cookies – storing information on your computer

What are cookies?

To make this site function properly, we sometimes place small data files on your computer, known as cookies.

Most big websites or internet service providers do this too. Cookies help the site remember your settings – language, font size and other preferences for how you want to view the site on your computer - so you don’t have to keep re-entering them whenever you come back to us.

Also, a number of pages on EUROPA show a survey box that asks you if the content was helpful or not. We store a cookie for this too, so we know not to show the box again once you've responded.

Our cookies are not used to identify you personally. They’re just there to make the site work better for you.

How you can control cookies

You can control and/or delete cookies as you wish – for details, see AboutCookies.org.

You can delete all the cookies already on your computer and you can set most browsers to block them being placed. But if you do this, you may have to manually adjust some preferences every time you visit the site.

The Commission does not use cookies for any other purpose than those presented here and does not use them to collect any personal data for any other purpose.

Hah! I was just about to post something similar and gave up since I didn't want to stir things more.
Great posts, both of them, Rolf!

well, all I can say is that the opportunity was there to do something but some decided to do nothing.

Those who are proactive will inevitably prosper. Whose that think nothing needs to change will...

The cookie issue even made the BBC TV news here the UK today. I just hope it won't be a CMSMS web site that gets the first £500,000 (€600,000) fine.

No, you haven't missed something, you've experienced the same unsupportive apathy that I experienced.

The session cookies appear to be classed as "Strictly essential" and thus could be excluded from the new Law. But if you are using any tracking cookies such as Analytics then you will need consent.

I've found numerous third party solutions to this where they place the GA code in some form of Javascript statement and the contents are only parsed if the user consents via popup box or similar notification.

it would be great if someone could come up with a module that performed this (its outside my knowledge).

All the other leading CMS's already have add on modules to deal with this. Wordpress, Drupal, Joomla etc have all dealt with this.

Yes, they have independently contributed third party addons. I've seen them for wordpress anyways.

I think we need a module that creates a small popup which states something like the following:

Yes, any community member(s) could write one (or more) add on modules to deal with this. And the dev team will provide as much technical assistance is possible. Only the regular development rules and forge rules apply.

Guys - if you're in the Uk, take a look at this. It will tell you fairly comprehensively what to do.

http://www.international-chamber.co.uk/ ... _guide.pdf

FYI I simply made sure that I informed all my customers of their responsibilities. Those that choose to ignore that are aware they are doing so themselves.

then for any cmsms sites that want it, I'm using something like what I have done at the following website - http://www.linkcareuk.net/faac-site/faac-home.html

Thanks for the reply, Scotch33

I came across another website with a "cookie-button". Look in the footer of this page http://www.visitnaestved.com/internatio ... orside.htm

grtz. Rolf

And the bbc have just got their site sorted with a lightly more intrusive example. www.bbc.co.uk

They are all at it now, Nationwide in UK:
http://www.nationwide.co.uk/
(message shown at the top)

Consensus appears to be show a warning and then put something like

By using our website, you're consenting to our use of cookies.

which was from http://www.nationwide.co.uk/about_natio ... wide-co-uk

Interesting topic. The regulations seem like a pointless waste of everybody's time to me though.