Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - markham
76
The Pub / Re: Number of 'online users'
« on April 22nd, 2012, 08:10 PM »
Quote from Nao on April 22nd, 2012, 03:51 PM
Okay...

- I would also encourage getting rid of guest counting in the stats -- *except* in the Who's online / Info center areas where you can easily sort between guests and online members, and determine that 90% of the 'guests' are actually bots, etc... This kind of thing is interesting, but recording numbers on the long run is pointless because you can't know whether you got a bot swarm or simply an actual surge in interest.
As I have heavily mod'ed my sites, I can't honestly remember if a clean install of SMF distinguishes between spiders and guests in the "Who's online" or not. All I know is that spiders are clearly identified as such and are not counted in page views on my sites. But that said, you do make a valid point.
Quote
- I think that even if we don't start a session for guests, we should still record whatever page they're on and store it somewhere for the next 15 minutes (by IP.) I really like being able to know what a guest is doing... Not only that, but some people are adamant on knowing it, for security purposes. I'd suggest maybe only showing this data to admins, and showing it in a way that's different from the Who's online section -- for instance, we could store the query string and $_SERVER and show that in a subsection of the Who's online page, or something... Because bots will often try to reach URLs that you never considered, it's nice to be able to spot the oddities in there.
In other words, effectively a short-term "cookie" held on the server but as a database record? That actually might be far more accurate than the current system in which case I'm in favour.
77
The Pub / Re: The Cookie Law (in the UK at least)
« on April 22nd, 2012, 03:16 PM »
To save Arantor or anyone else trawling through the Wedge/SMF code looking for where PHPSESSID could be set, I can now confirm that the modification posted by Emanuele works 100% and prevents all cookies, including PHPSESSID, from being set until the visitor actively clicks on a link to allow them.

With Emanuele's help (he used some kind of analyser on my site) I discovered that PHPSESSID was being set was because I have SA-Chat installed and, for some strange reason, it has its own index.php file. One of the very first things that happens is that there's a call to start_session(). A simple edit was all it took me to prevent the Mod from loading unless cookies had been authorised.

78
The Pub / Re: Number of 'online users'
« on April 22nd, 2012, 09:12 AM »
Quote from oOo--STAR--oOo on April 22nd, 2012, 03:34 AM
Awstats does use resources, END OF. Whether them resources are used only in use.. It uses resources.. The fact its running and installed on your machine uses resources. Even IDLE programs USE resources.. Correction SIR. You ain't right!
I'll let you into a little secret: you are completely wrong! Awstats is a client application stored on the server and it is only only allocated and uses resources when it is specifically run; the OS frees those resources when you close the application. It is not responsible for collecting and storing the data, that's done automatically by the server. If you examine your running processes and note that Awstats is loaded when it shouldn't be, then you should talk to your hosting company as it's likely a configuration issue.

79
The Pub / Re: Number of 'online users'
« on April 22nd, 2012, 08:54 AM »
Quote from live627 on April 22nd, 2012, 06:11 AM
Star:AWstats is a log analiser and nothing more. The sourceforge page says it in the second sentence! Meaning it does no work when you're not using it. All it does is read from the server. And what better way to track usage than by reading what the server itself provides!
I completely agree and I also agree with Arantor's proposals. In addition to the site I linked elsewhere in a related thread, I also manage a UK-based site on behalf of a "technology-challenged" owner. His brief to me was quite explicit in that he wants to know how many visitors have visited the site during any given period and where they are geographically. Having educated himself a tad on the subject, he's asked me to implement Google Analytics. I'm now in the process of telling him why I don't think that's such a great idea and why it falls foul of the new Cookie Laws (where Cookies aren't accepted). I've also explained to him that we can get a fairly accurate picture simply by using a tool such as Awstats to analyse the server logs and probably produce far more meaningful results.

And if removing guest tracking results in a drop in bandwidth and fewer SQL enquiries, with their attendant processing, then I'm all in favour. I'm pretty sure that anyone who sees a need to track their site visitors will either write a mod plug-in or have one written.


Mark
80
The Pub / Re: The Cookie Law (in the UK at least)
« on April 22nd, 2012, 06:58 AM »
Quote from Arantor on April 21st, 2012, 11:14 PM
Do we actually *need* to track unique guests? Do we care how many 'guests' are online at once? Do we care how many 'unique guests' (given that's a figure that we don't really understand nor have any accuracy for) are online at once?
An interesting point and in the Forum software context I'd suggest that we probably would like to know the number of guests online at any one time but probably aren't very interested in any guest metrics. After all, an owner need simply to run Awstats (or equivalent) to get a breakdown of unique visitors to the site by any number of metrics. Or am I being too simplistic?

Mark
81
The Pub / Re: The Cookie Law (in the UK at least)
« on April 22nd, 2012, 06:51 AM »
Quote from Arantor on April 21st, 2012, 10:33 PM
One thing I will add... actually... there is an interesting point to be made here. Complying with the law as it seems to be, that means we can't issue the PHPSESSID cookie without permission. That means search engines won't give consent, and thus we don't have to worry about PHPSESSID for non-guests.

In *that* case, yes, we lose the accuracy of the 'number of online guests', but we actually gain performance and speed and stop having any PHPSESSID/SEO issues again ever to have to deal with.

From my perspective, I'm increasingly considering that a viable option - though I do note there is an exemption in there for cookies used for performance and tracking the number of users to balance load, and it's possible to argue that one with PHPSESSID. Until I get some guidance from the ICO, though, this is all largely hypothetical.
I agree with your view but I do recall reading recently that depending on the PHP configuration on the host server, a session cookie may automatically be set regardless. Is that true?

Mark
82
The Pub / Re: The Cookie Law (in the UK at least)
« on April 22nd, 2012, 06:37 AM »
Quote from oOo--STAR--oOo on April 21st, 2012, 10:11 PM
Quote from markham on April 21st, 2012, 06:45 PM
Unfortunately neither of the solutions work. That by the-person-whose-name-I-can't-read-let-alone-pronounce didn't work at all. The second one, by Emanuele, isn't preventing the PHPSESSID (ie visitors) cookie from being set.
Hey, that was me who tried Emanuele mod.
It did work, I set it up and it disabled cookies for guests until they agreed to use them, using the notice that is placed at the top.
So SMF didn't issue no cookies at all lol.

It says, either agree, login or register to accept the cookie.
Then it places an ecl_ cookie on your computer to verify that you have accepted lol.
I checked and there was no cookie issued to the guest only analytic's and shoutbox, not SMF.
I have un installed it now, as it looks a mess right now lol.

But I believe it does the job, with an extra page that you can click in the notice where all the information will be about the cookies.
Nothing on it as of yet lol.
Well it isn't working 100% for me, let me put it that way. The PHPSESSID cookie is being set regardless. But I will agree that Emanuele has done a splendid job in addressing the issue and has made some changes to subs-eclwarning.php since releasing it yesterday to take account of SEF considerations.

Rather than disable features completely - such as your shoutbox - all you need do is add a call to ecl_authorized_cookies() - and if that returns TRUE, cookies have been accepted ;) I've had to do that in subs.php for the Google Analytics mod[1].

But as you can see on on this site, no main menu is shown until after the visitor accepts the cookies so, as best I can tell, that site is now almost in full compliance with UK law, the PSPSESSID cookie issue notwithstanding.
 1. (function ob_google_analytics($buffer)
83
The Pub / Re: The Cookie Law (in the UK at least)
« on April 21st, 2012, 06:45 PM »
Unfortunately neither of the solutions work. That by the-person-whose-name-I-can't-read-let-alone-pronounce didn't work at all. The second one, by Emanuele, isn't preventing the PHPSESSID (ie visitors) cookie from being set.
84
The Pub / Re: The Cookie Law (in the UK at least)
« on April 21st, 2012, 07:33 AM »
Quote from oOo--STAR--oOo on April 21st, 2012, 05:27 AM
This is why I like Arantor. You take your time out to reply, and educate + 1
Oh he's earned more than +1 from me as he seems to be the only Forum software developer who has not only taken time to research this (and other legal implications) but has demonstrated a genuine willingness to implement a decent solution.
Quote
Put in the registration agreement that they allow all cookies and *hope* SMF do something about guest cookies.
You can hope and you can pray but whatever you do, don't hold your breath! Here's the solution that a (former?) SMF project person has suggested:
Quote
  • Move your forum to a sub-directory
  • Put up an entrance page advising of the cookies that will be set.
  • Make a small change on the main SMF index page redirecting anyone who doesn't have an "opt in" cookie set to the entrance page.
  • Require a click-through to get to the new forum location, setting a cookie (which was disclosed on that page!) to prevent SMF from kicking them out.
If you put the check right at the start of the SMF execution path, that should avoid a PHP session from being started.

Oh, this solution also prevents search engines from indexing anything since SMF now requires an "opt in" cookie to even show.

I think that would legally work, although it would probably destroy your site since you wouldn't have any results in search so you'd only get new visitors via direct referral.
So that's the best SMF can suggest - are they serious?!! A Forum with no traffic. Terrific! They are not going to like the response I've just posted and expect I'll be slapped on the face with a wet fish before the day is out.

However, there is another British Forum owner contributing to that same thread and he poses the following:
Quote
In my view the new law actually makes using the internet illegal as your server can not legally read the packet headers which contain informationf from the users terminal without thier prior permission but how can you get that prior permission if you can't reas the headers.
The sad fact is that were things different to what they are today, there would have been an Arantor-authored modification for SMF available by now[1] but like everyone else affected, I will do what I can to be in compliance whilst waiting patiently for Wedge's release.

I've noticed that some ISPs are placing tracking cookies for each web site visited. I wonder what ICO's views on that would be, since such cookies are outside the direct control of the web site owner.
 1. This is simply an observation (and probably a truism!), nothing more than that!
85
The Pub / Re: The Cookie Law (in the UK at least)
« on April 20th, 2012, 08:58 AM »
Quote from Arantor on April 19th, 2012, 07:28 PM
Quote
That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
I actually did some investigation on this some time ago, when I first started running forums, and I don't believe anything's changed. Basically, a username and password is not considered personal information and as yet, neither is an email address. Consequently because you're not providing anything that comes under their definition of 'personal information', you don't have to get into the realms of being a registered Data Controller, and whatever's left regarding IP (which also, currently, is not considered personal information) is covered by the standard registration agreement, which is within the First Principle's approach to transparency.
I agree entirely with your comments. But many Forum sites hold other personal information that has been voluntarily supplied by its members - such as their location, user names on social network sites and instant messengers, perhaps even their exact geographic location (for Google Map pins). Now I agree that all this additional information is not only supplied voluntarily by members but can be modified or removed by them at any time. Well almost: if that member receives a ban, he is no longer able to remove his personal details and whilst the site needs to retain that member's email address, user name and IP Address in order to enforce the ban, it does not - and should not (in my view) - retain any of the additional information that user supplied during his membership. That retention might fall foul of the DPA.

If my suspicions have any legs, then wouldn't it be wise for the site to automatically remove all additional informations - including all PMs sent/received - when a member is banned?

To the best of my knowledge - and according to some basic research carried-out by my lawyer - no UK-based Forum site has been found in violation of the DPA but there remains the risk that should the ICO be asked to investigate a site under the "cookie law", it might also check for other violations.
86
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 08:29 PM »
Quote from Arantor on April 19th, 2012, 07:05 PM
Quote
The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
That's true, but to a point one of the considerations is whether you're acting in good faith or not. If you're 'on the edge' but making an attempt in good faith to be compliant, you're probably going to OK, but if you're on the edge trying to bend the rules at every opportunity, when you do skirt the rules, it will come back to bite you a bit more.
Let's suppose Germany decides to require site owners to obtain separate op-ins for every cookie whilst apparently the UK does not - according to ICO a blanket opt-in is sufficient. A German user visits a UK hosted web site and is presented with a single "Do you agree to our placing cookies?" dialog box. The German user is happy to have the site's first-party cookie as, in all likelihood, that cookie would be rather essential to ensure a good experience, but he doesn't want the (potentially four) extra Cookies placed by Google Analytics or Facebook trackers etc. He feels aggrieved that those cookies have been stored and complains. The UK site has complied with the Directive as implemented in UK law but is not compliant under German law. As things stand, the Information Commissioner would have to agree that the web site concerned was in violation. But whether he would seek prosecution is entirely another matter.
Quote
Quote
The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
The ICO's own site is where I feel it's failing most: I accept that they may not know the specific details of each cookie - I don't know the specifics of what's in the Google Analytics cookies, for example, so that part I'm willing to accept the way they're doing it. What I don't like is the way they're using a single consent to accept *all* of those cookies, not bits and pieces.
But is there any other practical way of doing this? As a developer, you'd say "yes", I'll simply include hooks that cause the display of a cookie acceptance dialog so that developers of plug-ins that set cookies can get the user's acceptance. But from a user's point of view, to be presented with a succession of cookie opt-in dialogs is going to become tiresome to say the least. If we are going to go down that road, then I think two opt-in dialogs should suffice: one for first-party and the other for all the third-party cookies. That second dialog could optionally be re-presented to the user if additional cookies are added. How's that for compromise?

87
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 07:17 PM »
Quote from Nao on April 19th, 2012, 06:47 PM
Quote from markham on April 19th, 2012, 06:22 PM
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team
Only half the team, I'm afraid :P
Ah but it's 100% more than over at SMF! :D
Quote
I'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
In our case, the UK's Information Commissioner is legally obliged to investigate any complaints and the penalties are proscribed in law but whether anyone actually complains is another matter. Unless they live in Denmark, of course (where I believe this all originated).

That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
Quote
Quote
whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge!
Heck, even *I* can no longer wait for an alpha release...
That's the one they're promising by the end of the millennium, right?!
88
The Pub / Re: The Cookie Law (in the UK at least)
« on April 19th, 2012, 06:22 PM »
Quote from Arantor on April 19th, 2012, 02:20 PM
It does also seem that there is a certain degree of insanity in the wording, from what I can tell, a user in the UK can complain to the ICO about a site based in Europe, regardless of being run in the UK or not, and for it to be taken up with the appropriate country's authorities on the matter.
Yes, that's my reading of it also and corresponds to the legal advice I've been given. What's probably a bit draconian about this is that other EU nations are being somewhat dilatory about implementing their own "Cookie Laws" but that won't be taken into consideration if a complaint is made about a web site hosted in one of those member states. They are liable for the same huge fine if they're found to be in violation (£500,000 or $750,000). The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.

The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.

The other rather laughable aspect of the ICO site is that it places a second cookie, in addition to their main one, if you agree to cookies -- surely the presence of their main cookie indicates that you've agreed to cookies!

Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge! Thank you!
89
The Pub / Re: The Cookie Law (in the UK at least)
« on April 16th, 2012, 03:06 PM »
Quote from Arantor on April 15th, 2012, 10:09 PM
Quote
It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).
Have you been to the ICO's site? Their opt-in is a very big list of cookies, which lists every cookie they use (of which there are quite a few), and the opt-in is for all cookies, not a per-cookie basis, so opting in for the important cookies also opts you in by proxy for the others too, which is a very dubious state of affairs.
Yes I have and you're right, it is a long list. However, the British implementation of the Directive may be at odds with other EU nations' in the case of exemptions and blanket opt-ins which, apparently, the Directive doesn't even mention. So whilst a UK-hosted site may be in compliance with British Law, it may not be fully-compliant with other nations' implementation of the Directive and the ICO will have to investigate complaints passed to it from its EU counterparts.

Given that, the advice surely must be that an opt-in be obtained for each and every cookie regardless of whether first or third-party. And that could make visiting EU-hosted web sites somewhat tedious.
90
The Pub / Re: The Cookie Law (in the UK at least)
« on April 15th, 2012, 09:45 PM »
I have one site hosted in the UK and one hosted in the US. My solicitor (in London) has just advised me that I must have a notice prominently displayed for guests and members who are accessing from within the EU regarding the content and use of cookies by the Forum software. Apparently this must appear on both sites in order to comply with the Directive, since they can both can be accessed from within the EU. I'm also advised that a similar notice should also appear in the membership agreement.

I honestly doubt that many people will complain to the ICO but if they do, it's a big hassle and a potentially huge fine for site owners. A simple notice may remove that threat for now but, I'm told, the ICO (and its European counterparts) may in future require site operators to provide a means for cookie-less access to their sites.

What's not clear - and apparently the ICO isn't giving chapter and verse - is where the responsibility for third-party cookies lies. Anyone visiting a web site these days is bound to have one or more Google cookies stored in addition to any first-party cookies. It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).


Mark