Solved

PHP 5: using a session cookie for site management, how to comply with EU cookie law?

Posted on 2015-02-05
5
230 Views
Last Modified: 2015-02-06
Hello Experts,

this may be a dumb question; but...
How do developers initialize a cookie session and comply with EU cookie law at the same time?

if cookie declined, I am not sure how to manage sessions (via URL not an option, too insecure).

Thanks for your help...
0
Comment
Question by:epifanio67
5 Comments
 
LVL 74

Assisted Solution

by:käµfm³d 👽
käµfm³d   👽 earned 167 total points
ID: 40592069
I'll preface this by saying that I know nothing about European law, rules, etc., and I am in no way a lawyer, but from what I'm reading here:

https://ico.org.uk/for-organisations/guide-to-pecr/cookies/

...it looks like session-id cookies are exempt from the law:

Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies...also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user.

Are you not permitted to maintain session state on your server? If you can, then you should only need the session ID cookie to get to the session on the server.

Have you consulted an attorney?
0
 

Author Comment

by:epifanio67
ID: 40592083
Thank you Kaufmed.... that helps...

I just accessed the site and noticed the popup asking if it was ok to leave cookies....

I don't believe the law prohibits maintaining a session state on the server...

I just want to make sure I am in compliance technically... no need for an attorney at the moment....
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 166 total points
ID: 40592094
In general, session cookies are ok If they are not used to track personal info.  This page http://eucookielaw.org.uk/what-should-I-do-about-eu-cookie-law discusses the subject and has a couple of useful links to check things out.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 167 total points
ID: 40593436
Most EU sites seem to want a personal acknowledgement that it's OK to store a cookie on the browser.  They do this by sending a message that says, "We use cookies, please acknowledge that it's OK."  The message is accompanied by a form control that allows the client to click the "OK" and signal that cookies are acceptable.  Thereafter the cookie(s) can be used since the client has explicitly allowed it.

The cookie, of course, is not the issue here (governments are always behind technology).  It's the underlying database and network of information sharing services that collect and analyze client behaviors.  I can put a single cookie on a client browser and all that tells anyone is that the client browser can be recognized on a return visit.  For example, I can know if a client is "logged in."  The cookie seems benign in its simplicity and innocence.  But a cookie does not tell what behaviors I am tracking, what data I have collected, who I've shared the data with, what credit reporting agencies I've accessed, what IP address lookup services I've used, etc.  The cookie itself is much less than the tip of the iceberg, and the EU cookie laws (unenforceable in many countries) that address the cookies may be a "feel-good" patch for lawmakers, but they completely miss the point of privacy.

Some of the information on the EU Cookie Law web site is accurate, but it's way below comprehensive.  That aside, I like the idea of a popup that they speak of here, and it will probably cover your needs.
http://eucookielaw.org.uk/cookie-opt-in-for-my-website
0
 

Author Closing Comment

by:epifanio67
ID: 40594676
Thank you experts for all of your help...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Consider the following scenario: You are working on a website and make something great - something that lets the server work with information submitted by your users. This could be anything, from a simple guestbook to a e-Money solution. But what…
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now