« Don't update log_online for certain actions
The Cookie Law (in the UK at least)
Body tag classes »

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #60, on April 22nd, 2012, 06:37 AM »
Quote from oOo--STAR--oOo on April 21st, 2012, 10:11 PM
Quote from markham on April 21st, 2012, 06:45 PM
Unfortunately neither of the solutions work. That by the-person-whose-name-I-can't-read-let-alone-pronounce didn't work at all. The second one, by Emanuele, isn't preventing the PHPSESSID (ie visitors) cookie from being set.
Hey, that was me who tried Emanuele mod.
It did work, I set it up and it disabled cookies for guests until they agreed to use them, using the notice that is placed at the top.
So SMF didn't issue no cookies at all lol.

It says, either agree, login or register to accept the cookie.
Then it places an ecl_ cookie on your computer to verify that you have accepted lol.
I checked and there was no cookie issued to the guest only analytic's and shoutbox, not SMF.
I have un installed it now, as it looks a mess right now lol.

But I believe it does the job, with an extra page that you can click in the notice where all the information will be about the cookies.
Nothing on it as of yet lol.
Well it isn't working 100% for me, let me put it that way. The PHPSESSID cookie is being set regardless. But I will agree that Emanuele has done a splendid job in addressing the issue and has made some changes to subs-eclwarning.php since releasing it yesterday to take account of SEF considerations.

Rather than disable features completely - such as your shoutbox - all you need do is add a call to ecl_authorized_cookies() - and if that returns TRUE, cookies have been accepted ;) I've had to do that in subs.php for the Google Analytics mod[1].

But as you can see on on this site, no main menu is shown until after the visitor accepts the cookies so, as best I can tell, that site is now almost in full compliance with UK law, the PSPSESSID cookie issue notwithstanding.
 1. (function ob_google_analytics($buffer)
Re: The Cookie Law (in the UK at least)
« Reply #61, on April 22nd, 2012, 06:51 AM »
Quote from Arantor on April 21st, 2012, 10:33 PM
One thing I will add... actually... there is an interesting point to be made here. Complying with the law as it seems to be, that means we can't issue the PHPSESSID cookie without permission. That means search engines won't give consent, and thus we don't have to worry about PHPSESSID for non-guests.

In *that* case, yes, we lose the accuracy of the 'number of online guests', but we actually gain performance and speed and stop having any PHPSESSID/SEO issues again ever to have to deal with.

From my perspective, I'm increasingly considering that a viable option - though I do note there is an exemption in there for cookies used for performance and tracking the number of users to balance load, and it's possible to argue that one with PHPSESSID. Until I get some guidance from the ICO, though, this is all largely hypothetical.
I agree with your view but I do recall reading recently that depending on the PHP configuration on the host server, a session cookie may automatically be set regardless. Is that true?

Mark
Re: The Cookie Law (in the UK at least)
« Reply #62, on April 22nd, 2012, 06:58 AM »
Quote from Arantor on April 21st, 2012, 11:14 PM
Do we actually *need* to track unique guests? Do we care how many 'guests' are online at once? Do we care how many 'unique guests' (given that's a figure that we don't really understand nor have any accuracy for) are online at once?
An interesting point and in the Forum software context I'd suggest that we probably would like to know the number of guests online at any one time but probably aren't very interested in any guest metrics. After all, an owner need simply to run Awstats (or equivalent) to get a breakdown of unique visitors to the site by any number of metrics. Or am I being too simplistic?

Mark
Re: The Cookie Law (in the UK at least)
« Reply #63, on April 22nd, 2012, 03:16 PM »
To save Arantor or anyone else trawling through the Wedge/SMF code looking for where PHPSESSID could be set, I can now confirm that the modification posted by Emanuele works 100% and prevents all cookies, including PHPSESSID, from being set until the visitor actively clicks on a link to allow them.

With Emanuele's help (he used some kind of analyser on my site) I discovered that PHPSESSID was being set was because I have SA-Chat installed and, for some strange reason, it has its own index.php file. One of the very first things that happens is that there's a call to start_session(). A simple edit was all it took me to prevent the Mod from loading unless cookies had been authorised.

Nao

  • Dadman with a boy
  • Posts: 16,082
Re: The Cookie Law (in the UK at least)
« Reply #64, on April 22nd, 2012, 04:03 PM »
I haven't read the entire topic or whatever, but I just wanted to share this -- it is probably a known issue but whatever -- I noticed that if I remove the SID cookie and then hit Refresh, it is regenerated again -- even though I'm logged in to begin with... :-/

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #65, on April 23rd, 2012, 05:47 AM »
Just as an aside, in my view the Cookie Law is actually completely unnecessary in the UK at least. Just after the Parliamentary Christmas break (1989), MP Micheal Colvin introduced the Computer Misuse Bill which although somewhat watered-down came into force mid-year 1990. Cookies are actually covered under Section 3 of the Act which deals with "unauthorised modification of computer material". Unless accepted, a cookie is arguably an unauthorised modification. And the World Wide Web was in gestation at the time.

However we are where we are and there's one scenario that hasn't been mentioned to date. Suppose Nao crosses the Channel and goes to Arantor's new home on a visit. Whilst he's there, he asks Arantor if he can use his (Arantor's) PC to check his Forum - and we'll assume, for the sake of argument, that Arantor is not a member of that Forum. Nao lands on the Home Page and is asked to accept cookies which he does. He then logs-in and because its the default, his session time is set for 6 years. He logs-out and closes the browser which should (but doesn't always) delete the Session Cookie; his "member's" cookie - along, possibly with GA's four - remain in Arantor's browser Cookie "jar".

A few weeks later, Arantor notices that a web site he's never heard of nor visited has set cookies. (Let's not get into a debate as to whether or not Nao should have consulted Arantor prior to accepting the cookies, we'll assume they were both engrossed in what they were doing at the time.) Having noticed these Cookies, Arantor decides to lodge a complaint with the ICO. Cookies were set but HE didn't authorise them and it's entirely possible that ICO might ask awkward questions of the site owner.

A similar situation pertains in the case of Internet Cafes.

So maybe it's not enough for a web site owner to get a visitor to simply click on a link to signify acceptance of cookies. Maybe the visitor should be asked to give some means of identification (but that raises other data and privacy protection issues).



live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,670
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.

oOo--STAR--oOo

  • @Arantor Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time
  • Posts: 43
Re: The Cookie Law (in the UK at least)
« Reply #67, on April 23rd, 2012, 10:18 AM »Last edited on April 23rd, 2012, 10:33 AM
@markham

Yeah your right.. I coded a lot into the shoutbox myself so I can simply stop them cookies being set.
Its still setting a cookie for the media box even though guests really shouldn't see it anyway, as its not even open to guests lol.
The cookie is set by js, but a tiny bit of js is coded inside the index of the shoutbox, so will move that to the js file which is only issued to logged in members.
Which will solve that problem ;)

Just need to modify the page that displays the information about the cookies to display each cookie and what they do.

I suppose for google analytic's you could also just put this before it in the head.
   
Code: [Select]
if (!ecl_authorized_cookies())

Also reading a lot of discussion about it. It does seem like these big company's might not be taking this serious.
Maybe its my hoping in chance that it will get challenged and thrown out.

I mean who wants to be throwing alerts at people to accept, lol..
I'm not saying I don't agree with the new law, but I certainly think its should be looked at again and properly, probably in my favour LOL.

Edit: I would just like to add.. The cookie that is set from the mod is only supposed to last for that "session" I don't think there is a need to keep throwing it at the users face every time they revisit.
If my understanding is correct, they only have to agree to it once.

nend

  • When is a theme, no longer what it was when installed?
  • Posts: 165
Re: The Cookie Law (in the UK at least)
« Reply #68, on April 23rd, 2012, 06:10 PM »
How about us that operate and live in the US and decide to ignore the foreign law. I shouldn't be expected to follow by a law that I am in no way bound by, should I?
Quote from markham on April 22nd, 2012, 03:16 PM
With Emanuele's help (he used some kind of analyser on my site) I discovered that PHPSESSID was being set was because I have SA-Chat installed and, for some strange reason, it has its own index.php file. One of the very first things that happens is that there's a call to start_session(). A simple edit was all it took me to prevent the Mod from loading unless cookies had been authorised.
Yeah, the vision was lost there, not due to the current developer but due to members requesting SMF related features that I had no interest in that broke compatibility for other systems. The idea of the chat system was to be compatible with various systems. I later on lost interest and gave the project away.

But the system was set up on a basic bridge like system, it checks the SMF cookie and loads the DB within the chat, no SMF required. I don't think that is what is causing the problem though. It uses sessions and cookies to figure out what has been sent to the user or if the user needs to connect to the db. The mod doesn't connect to the db unless it has to. The mod will still work I think if this was disabled but there may be sync issues, messages getting sent more than once or not at all.

*edit, this system also helps reduce server load. Hopefully you didn't disable it, the mod IMHO is useless without this system in place because it can bring your site to a slow down. It is hard to remember everything from back then, lol.
SI Community

Cryotech

  • Posts: 16
Re: The Cookie Law (in the UK at least)
« Reply #69, on April 23rd, 2012, 11:18 PM »Last edited on April 23rd, 2012, 11:25 PM
In a perfect world, no you shouldn't, in a world dictated by the statutes of the U.N and international treaties, yes you will. That's how countries with no copyright laws are able to be forced into extraditing pirates, even if they're nationals, to countries that do have those laws for prosecution in foreign courts.

But in all reality, you don't have to worry about it right now, at least not for a few years. Again, having been a US federal officer for nearly 12 years, I can pretty much guarantee this will not be enforceable for many, many years if at all until the governments worldwide start mandating all websites be hosted on government servers for tracking purposes. The cost alone of enforcing would be astronomical in nature and would be a huge drain on already financially unstable economies.

Until that day happens, I'm not going to worry about it. I already do what I can to protect my users, I don't need Big Brother doing it for me.

Also, don't forget, ID sessions for members is a whole lot different than needing ID sessions for guests which seems to be the focal point of the debate. Members need ID sessions to perform unique functions on the site, guests, however do not for obvious reasons.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #70, on April 24th, 2012, 06:20 AM »
Quote from nend on April 23rd, 2012, 06:10 PM
How about us that operate and live in the US and decide to ignore the foreign law. I shouldn't be expected to follow by a law that I am in no way bound by, should I?
Except for the fact that US law makers are in the process of an equivalent Federal statute ....
Quote
*edit, this system also helps reduce server load. Hopefully you didn't disable it, the mod IMHO is useless without this system in place because it can bring your site to a slow down. It is hard to remember everything from back then, lol.
Ah you're the original author! You created a great modification and, IMHO, the best of its type I found for SMF.

Changing its index.php file was actually very simple - even for a 61 year old non-programmer like me!
Code: [Select]
    define('SMF', 1);

    // Experimental Optimizer
    define('loadOpt', 1);
   

    // Lets go head and load the settings here.
    require_once(str_replace('//','/',dirname(__FILE__).'/').'../Settings.php');

    // Load SMF's compatibility file for unsupported functions.
    if (@version_compare(PHP_VERSION, '5') == -1) {
        require_once($sourcedir . '/Subs-Compat.php');
    }
    //
    // Load Emanuele's 'EU Cookie-checker Modification.
    require_once($sourcedir . '/Subs-EclWarning.php');
   
    // If the user hasn't accepted cookies, get out! We can not go ahead and load SA-Chat
    // because set_session() sets cookies and so potentially does SA-Chat's javascript.
    if (!ecl_authorized_cookies())
        die();
   
    // Okay, cookies can be set so continue.   
    session_start();
    session_cache_limiter('nocache');
   
//<-------------------------------------------------------------------------------   
    // Load the theme
    if (isset($_REQUEST['theme']) && !strstr('..', $_REQUEST['theme']) && is_file('./themes/'.$_REQUEST['theme'].'/template.php') && is_file('./themes/'.$_REQUEST['theme'].'/style.css')) {
        $themeurl = $boardurl.'/sachat/themes/'.$_REQUEST['theme'];
        $themedir = $boarddir.'/sachat/themes/'.$_REQUEST['theme'];
        $thjs = 'theme='.$_REQUEST['theme'].'&';
        require_once($themedir.'/template.php');
    }
All I needed to do was to move the loading of Settings.php and Subs-Compat.php up from below session_start(), then load the Cookie checking code. All your basic logic remains as it was before and now what happens is that if the Cookie authorisation Cookie is not detected, the chat application isn't executed. The load checking and balancing code is still there and fully-operative but only, of course, if cookies are authorised.
Re: The Cookie Law (in the UK at least)
« Reply #71, on April 24th, 2012, 06:55 AM »
Quote from oOo--STAR--oOo on April 23rd, 2012, 10:18 AM
I suppose for google analytic's you could also just put this before it in the head.
   
Code: [Select]
if (!ecl_authorized_cookies())
If you're using the GA Mod available on SMF, then you'll need to modify the function ob_google_analytics($buffer) in subs.php to this
Code: [Select]
// Google Analytics Integration
function ob_google_analytics($buffer)
{
    global $modSettings, $boardurl;

    if (ecl_authorized_cookies())
    {
            /*
            if (!empty($modSettings['googleAnalyticsCode']) && !isset($_REQUEST['xml'])) {
            $google_code = '
            <script type="text/javascript"><!-- // -->' . chr(60) . '![CDATA[' . '
            var _gaq = _gaq || [];
            _gaq.push([\'_setAccount\', \'' . $modSettings['googleAnalyticsCode'] . '\']);
            _gaq.push([\'_trackPageview\']);

            (function() {
            var ga = document.createElement(\'script\'); ga.type = \'text/javascript\'; ga.async = true;
            ga.src = (\'https:\' == document.location.protocol ? \'https://ssl\' : \'http://www\')   \'.google-analytics.com/ga.js\';
            var s = document.getElementsByTagName(\'script\')[0]; s.parentNode.insertBefore(ga, s);
            })();
            // ]]' . chr(62) . '</script>';
            */
            // add in the analytics code at the very end of the head section
            $buffer = substr_replace($buffer, $google_code . "\n" . '</head>', stripos($buffer,
                '</head>'), 7);
        }
    }
    // All done
    return $buffer;
}
You can use "if (!ecl_authorized_cookies()) return $buffer;" if you prefer ;) I personally prefer positive tests to negative ones.
Quote
Also reading a lot of discussion about it. It does seem like these big company's might not be taking this serious.
Those hosting within the EU will have to or they will find themselves "targets of choice" by enforcers such as the ICO.
Quote
Maybe its my hoping in chance that it will get challenged and thrown out.
It's been on our statute books for 11 months and hasn't been challenged so far - as far as I know.
Quote
I mean who wants to be throwing alerts at people to accept, lol..
I'm not saying I don't agree with the new law, but I certainly think its should be looked at again and properly, probably in my favour LOL.
It means a (hopefully) one-time extra mouse-click to enter sites, not exactly taxing even for the most technology-challenged of users is it? I agree that it could become a bit tiresome but that's a price to pay if we want to protect our privacy.
Quote
Edit: I would just like to add.. The cookie that is set from the mod is only supposed to last for that "session" I don't think there is a need to keep throwing it at the users face every time they revisit.
If my understanding is correct, they only have to agree to it once.
The authorisation cookie should be persistent on all except shared computers and I've modified Emanuele's code to reflect most of that. I can't deal with the shared computer aspect since there's no way of knowing about that. His code does this:
Code: [Select]
        setcookie('ecl_auth', 1, 0, '/');
which simply sets a session cookie that should be removed when the browser window closes. I've changed it to this:
Code: [Select]
        setcookie('ecl_auth', 'EU Cookie Law - LiPF cookies authorised- ' . strftime('%d-%b-%Y %H.%M.%S', time()), time()   189345600, '/');  // Set a 6 year cookie, the same as a "Forever" cookie in SMF
which sets a persistent (6 year) cookie and whose "text" tells the user the nature of the cookie and exactly when it was set - milliseconds after he agreed to cookies.[1]
 1. That information string contains HTML entities and I'm not sure if (a) that is safe and (b) how to overcome it.

nend

  • When is a theme, no longer what it was when installed?
  • Posts: 165
Re: The Cookie Law (in the UK at least)
« Reply #72, on April 24th, 2012, 05:53 PM »
Quote from markham on April 24th, 2012, 06:20 AM
Quote from nend on April 23rd, 2012, 06:10 PM
How about us that operate and live in the US and decide to ignore the foreign law. I shouldn't be expected to follow by a law that I am in no way bound by, should I?
Except for the fact that US law makers are in the process of an equivalent Federal statute ....
Quote
*edit, this system also helps reduce server load. Hopefully you didn't disable it, the mod IMHO is useless without this system in place because it can bring your site to a slow down. It is hard to remember everything from back then, lol.
Ah you're the original author! You created a great modification and, IMHO, the best of its type I found for SMF.

Changing its index.php file was actually very simple - even for a 61 year old non-programmer like me!
Code: [Select]
    define('SMF', 1);

    // Experimental Optimizer
    define('loadOpt', 1);
   

    // Lets go head and load the settings here.
    require_once(str_replace('//','/',dirname(__FILE__).'/').'../Settings.php');

    // Load SMF's compatibility file for unsupported functions.
    if (@version_compare(PHP_VERSION, '5') == -1) {
        require_once($sourcedir . '/Subs-Compat.php');
    }
    //
    // Load Emanuele's 'EU Cookie-checker Modification.
    require_once($sourcedir . '/Subs-EclWarning.php');
   
    // If the user hasn't accepted cookies, get out! We can not go ahead and load SA-Chat
    // because set_session() sets cookies and so potentially does SA-Chat's javascript.
    if (!ecl_authorized_cookies())
        die();
   
    // Okay, cookies can be set so continue.   
    session_start();
    session_cache_limiter('nocache');
   
//<-------------------------------------------------------------------------------   
    // Load the theme
    if (isset($_REQUEST['theme']) && !strstr('..', $_REQUEST['theme']) && is_file('./themes/'.$_REQUEST['theme'].'/template.php') && is_file('./themes/'.$_REQUEST['theme'].'/style.css')) {
        $themeurl = $boardurl.'/sachat/themes/'.$_REQUEST['theme'];
        $themedir = $boarddir.'/sachat/themes/'.$_REQUEST['theme'];
        $thjs = 'theme='.$_REQUEST['theme'].'&';
        require_once($themedir.'/template.php');
    }
All I needed to do was to move the loading of Settings.php and Subs-Compat.php up from below session_start(), then load the Cookie checking code. All your basic logic remains as it was before and now what happens is that if the Cookie authorisation Cookie is not detected, the chat application isn't executed. The load checking and balancing code is still there and fully-operative but only, of course, if cookies are authorised.
Just went over the code changes and the found the source on github, Your right, It looks like it shouldn't cause any problems. The ecl warning script just checks to see if a cookie is set that it added before and returns true or false. ;)

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #73, on April 24th, 2012, 07:24 PM »
Quote from nend on April 24th, 2012, 05:53 PM
Just went over the code changes and the found the source on github, Your right, It looks like it shouldn't cause any problems. The ecl warning script just checks to see if a cookie is set that it added before and returns true or false. ;)
Well yes but that's more by accident than by design. By rights the ecl cookie should be deleted at the end of the browser session as should the SMF session cookie and possibly even the member cookie too. Problem is that none of the web browsers I've tested this against actually deleted expired cookies!

On the off-chance that browser companies fix that, I have modified my version of the code so that the script sets a persistent (6 year) cookie and that it only checks for that one cookie.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #74, on April 25th, 2012, 05:50 PM »
OK, so let's back up a minute.

The PHPSESSID cookie, left alone and untouched by logins, will be removed properly. When logging in, though, SMF and Wedge both make that a persistent cookie. There's no argument on that score: it's a persistent cookie that is not being handled nicely and certainly flies in the face of any argument we can make that PHPSESSID is a valid session cookie when it stops being one.

@nend, why should you bother? That's a good question, and for now I don't think you have to be too concerned if you're based entirely outside the EU. That assumes the US do not introduce any forms of sanction, and I wouldn't put it past them, because then a user in the EU could complain to their national body and they can take it forward on that user's behalf. So in that respect, you don't have to be too bothered - for now.


Assuming the ECL cookie is set, there is nothing in the guidance about it being a session cookie from what I remember, and it does seem overly onerous to make it such, particularly if there is a persistent cookie of any form present.

My take on it is that if cookies are provided that the site is expecting (e.g. the member cookie or PHPSESSID), we can assume that consent must have been provided in the past and not require that extra cookie.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial
« Don't update log_online for certain actions
Body tag classes »