[PHP] disabled cookies

Disabled cookies use to be a problem years ago. What's your experience these days.

I need it for my session ID. As I read the docs, the old method of appending it
to the URL is a security issue.

I can obviously save the ID in a temp file which can be read by all the pages
needing it.

Al....

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Al <[email protected]> wrote:

>Disabled cookies use to be a problem years ago. What's your experience
>these days.
>
>I need it for my session ID.. As I read the docs, the old method of
>appending it
>to the URL is a security issue.
>
>I can obviously save the ID in a temp file which can be read by all the
>pages
>needing it.
>
>Al....
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

There is a new law been passed in the UK that makes non-essential cookies opt-in only, so you must get permission in order to use them.

That said, session cookies are a bit of a grey area. If your site relies on them to function, then they're ok. If they're used purely for tracking, they need to be made opt-in. Everything between is, like I said, grey.

Thanks,
Ash
http://ashleysheridan.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Sun, Jun 3, 2012 at 11:21 PM, Ashley Sheridan
<[email protected]> wrote:
>
>
> Al <[email protected]> wrote:
>
>>Disabled cookies use to be a problem years ago.  What's your experience
>>these days.
>>
>>I need it for my session ID. As I read the docs, the old method of
>>appending it
>>to the URL is a security issue.
>>
>>I can obviously save the ID in a temp file which can be read by all the
>>pages
>>needing it.
>>
>>Al....
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>
> There is a new law been passed in the UK that makes non-essential cookies opt-in only, so you must get permission in order to use them.
>
> That said, session cookies are a bit of a grey area. If your site relies on them to function, then they're ok. If they're used purely for tracking, they need to be made opt-in. Everything between is, like I said, grey.
>
> Thanks,
> Ash
> http://ashleysheridan.co.uk


A little correction on the above: This law applies to the whole EU, not only UK.

- Matijn

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Matijn Woudt <[email protected]> wrote:

>On Sun, Jun 3, 2012 at 11:21 PM, Ashley Sheridan
><[email protected]> wrote:
>>
>>
>> Al <[email protected]> wrote:
>>
>>>Disabled cookies use to be a problem years ago.  What's your
>experience
>>>these days.
>>>
>>>I need it for my session ID. As I read the docs, the old method of
>>>appending it
>>>to the URL is a security issue.
>>>
>>>I can obviously save the ID in a temp file which can be read by all
>the
>>>pages
>>>needing it.
>>>
>>>Al....
>>>
>>>--
>>>PHP General Mailing List (http://www.php.net/)
>>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>> There is a new law been passed in the UK that makes non-essential
>cookies opt-in only, so you must get permission in order to use them.
>>
>> That said, session cookies are a bit of a grey area.. If your site
>relies on them to function, then they're ok. If they're used purely for
>tracking, they need to be made opt-in. Everything between is, like I
>said, grey.
>>
>> Thanks,
>> Ash
>> http://ashleysheridan.co.uk
>
>
>A little correction on the above: This law applies to the whole EU, not
>only UK.
>
>- Matijn

Oh, my bad!

Thanks,
Ash
http://ashleysheridan.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Sun, Jun 3, 2012 at 11:26 PM, Matijn Woudt <[email protected]> wrote:
> On Sun, Jun 3, 2012 at 11:21 PM, Ashley Sheridan
> <[email protected]> wrote:
>>
>>
>> Al <[email protected]> wrote:
>>
>>>Disabled cookies use to be a problem years ago.  What's your experience
>>>these days.
>>>
>>>I need it for my session ID. As I read the docs, the old method of
>>>appending it
>>>to the URL is a security issue.
>>>
>>>I can obviously save the ID in a temp file which can be read by all the
>>>pages
>>>needing it.
>>>
>>>Al....
>>>
>>>--
>>>PHP General Mailing List (http://www.php.net/)
>>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>> There is a new law been passed in the UK that makes non-essential cookies opt-in only, so you must get permission in order to use them.
>>
>> That said, session cookies are a bit of a grey area. If your site relies on them to function, then they're ok. If they're used purely for tracking, they need to be made opt-in. Everything between is, like I said, grey.
>>
>> Thanks,
>> Ash
>> http://ashleysheridan.co.uk
>
>
> A little correction on the above: This law applies to the whole EU, not only UK.
>
> - Matijn

BTW, There's a website [1] that has all the information and even a
tool for checking what your site does with cookies.

- Matijn

[1] http://www.cookielaw.org/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Matijn Woudt wrote:
> BTW, There's a website [1] that has all the information and even a
> tool for checking what your site does with cookies.
>
> - Matijn
>
> [1]http://www.cookielaw.org/

Which fails at the first security hurdle!
It requires Google Chrome, which is bigger black hole as far as my customers are
concerned.

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
is perhaps the best guidance for UK users ... currently.

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Lester Caine <[email protected]> wrote:

>Matijn Woudt wrote:
>> BTW, There's a website [1] that has all the information and even a
>> tool for checking what your site does with cookies.
>>
>> - Matijn
>>
>> [1]http://www.cookielaw.org/
>
>Which fails at the first security hurdle!
>It requires Google Chrome, which is bigger black hole as far as my
>customers are
>concerned.
>
>http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx
>
>is perhaps the best guidance for UK users ... currently.
>
>--
>Lester Caine - G8HFL
>-----------------------------
>Contact - http://lsces.co.uk/wiki/?page=contact
>L.S.Caine Electronic Services - http://lsces.co.uk
>EnquirySolve - http://enquirysolve.com/
>Model Engineers Digital Workshop - http://medw.co.uk//
>Firebird - http://www.firebirdsql.org/index.php
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

How is Google Chrome a bigger security risk than the other popular browsers, Fx and IE?

I was under the impression it was more secure than either of those.

Thanks,
Ash
http://ashleysheridan.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Ashley Sheridan wrote:
> How is Google Chrome a bigger security risk than the other popular browsers, Fx and IE?
>
> I was under the impression it was more secure than either of those.

License Conditions ... They may have removed the original landgrab section, but
there is still a potential for Google to gather private information and this is
an unacceptable risk when dealing with customers who deal with sensitive private
data.

In addition, intrusive advertising has no place in public service systems anyway
.... Google maps and the like are similarly inappropriate since using them allows
Google to track material that IS also sensitive. It is THIS tracking that the
'cookie law' was supposed to address, but the problem sites are not even covered
by it ... WE are if we link to uncontrolled sites and services.

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Lester Caine <les[email protected]> wrote:

>Ashley Sheridan wrote:
>> How is Google Chrome a bigger security risk than the other popular
>browsers, Fx and IE?
>>
>> I was under the impression it was more secure than either of those.
>
>License Conditions ... They may have removed the original landgrab
>section, but
>there is still a potential for Google to gather private information and
>this is
>an unacceptable risk when dealing with customers who deal with
>sensitive private
>data.
>
>In addition, intrusive advertising has no place in public service
>systems anyway
>... Google maps and the like are similarly inappropriate since using
>them allows
>Google to track material that IS also sensitive. It is THIS tracking
>that the
>'cookie law' was supposed to address, but the problem sites are not
>even covered
>by it ... WE are if we link to uncontrolled sites and services.
>
>--
>Lester Caine - G8HFL
>-----------------------------
>Contact - http://lsces.co.uk/wiki/?page=contact
>L.S.Caine Electronic Services - http://lsces.co.uk
>EnquirySolve - http://enquirysolve.com/
>Model Engineers Digital Workshop - http://medw.co.uk//
>Firebird - http://www.firebirdsql.org/index.php
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

Ok, but don't confuse the browser with the services Google offers. The two are very separate, and its confusing to mention the services in an argument about the browser.

Thanks,
Ash
http://ashleysheridan.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Ashley Sheridan wrote:
>
> Lester Caine<[email protected]> wrote:
>
>> Ashley Sheridan wrote:
>>> How is Google Chrome a bigger security risk than the other popular
>> browsers, Fx and IE?
>>>
>>> I was under the impression it was more secure than either of those.
>>
>> License Conditions ... They may have removed the original landgrab
>> section, but
>> there is still a potential for Google to gather private information and
>> this is
>> an unacceptable risk when dealing with customers who deal with
>> sensitive private
>> data.
>>
>> In addition, intrusive advertising has no place in public service
>> systems anyway
>> ... Google maps and the like are similarly inappropriate since using
>> them allows
>> Google to track material that IS also sensitive. It is THIS tracking
>> that the
>> 'cookie law' was supposed to address, but the problem sites are not
>> even covered
>> by it ... WE are if we link to uncontrolled sites and services.

> Ok, but don't confuse the browser with the services Google offers. The two are very separate, and its confusing to mention the services in an argument about the browser.

I'm just working to rules that are applied to me by the security departments of
the customers *I* am dealing with. While you might think that there should be a
distinct separation between the two areas, the recent 'rationalisation' of
Google privacy notices eroded that separation again ... Google can do what they
like and can change the rules again when they see fit.

We are at a point where the 'cookies' laws have become a requirement simply to
ensure that we KNOW what is being gathered and why.

The question I asked in an earlier thread has not had an answer ... are there
any good open source add-ins for php that allow us to manage this area in Europe?

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Mon, Jun 4, 2012 at 1:09 AM, Lester Caine <[email protected]> wrote:
> Ashley Sheridan wrote:
>>
>> How is Google Chrome a bigger security risk than the other popular
>> browsers, Fx and IE?
>>
>> I was under the impression it was more secure than either of those.
>
>
> License Conditions ... They may have removed the original landgrab section,
> but there is still a potential for Google to gather private information and
> this is an unacceptable risk when dealing with customers who deal with
> sensitive private data.
>
> In addition, intrusive advertising has no place in public service systems
> anyway ... Google maps and the like are similarly inappropriate since using
> them allows Google to track material that IS also sensitive. It is THIS
> tracking that the 'cookie law' was supposed to address, but the problem
> sites are not even covered by it ... WE are if we link to uncontrolled sites
> and services.
>

I wonder what browser you're using. I just read the IE10 privacy
policy, and it pretty much states the same, Microsoft can collect
private data from you. Opera, Firefox and Safari probably have
something similar.

You're probably better off being worried about the Google services,
though the same applies probably to the Bing en Yahoo search engines.
And you don't think that Bing Maps collects data about you?

Please don't forget that it is the advertising market that brought us
the free (in cash) internet. With the help of cookies giving us better
ads, the free internet has grown. People need to chill down a bit
about their privacy online. In the end, probably the only real danger
of your own privacy is your own facebook, myspace, google+, twitter,
linkedin, ... profile.

And last but not least, your personal information is probably at a lot
more places than the internet, quite a few stores have things like
membership cards, and guess what, they track you there. They know
exactly what you bought etc. And for example, here in the Netherlands,
we have a new public transportation system, called the 'OV-chipkaart',
which is basically a RFID card. There exists 2 types, anonymous and a
personal one. Now they can happily track where we are going with the
public transportation.

Personally, I find those last thing much worse than Google collecting
my search actions.

- Matijn

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Matijn Woudt wrote:
> I wonder what browser you're using. I just read the IE10 privacy
> policy, and it pretty much states the same, Microsoft can collect
> private data from you. Opera, Firefox and Safari probably have
> something similar.

Seamonkey ... on Linux
Still prefer a proper internet suit so I can simply open tabs from email links
and compose html in-line as required.

But the point I was making was that I am restricted from linking to Google by my
customers rules as it's considered a 'security risk' to sensitive personal data.
We use OSM nowadays for mapping, and any site search is private to the server,
not using the 'free' search services. If my actions fail a security audit I have
to amend them ...

I had managed to avoid all of the 'social media' services, but am now having to
'participate' simple to check out what cookies they are setting on sites that
are not affected by security restrictions ...

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Sun, Jun 03, 2012 at 10:21:21PM +0100, Ashley Sheridan wrote:

>
>
> Al <[email protected]> wrote:
>
> >Disabled cookies use to be a problem years ago. What's your
> >experience these days.
> >
> >I need it for my session ID. As I read the docs, the old method of
> >appending it to the URL is a security issue.
> >
> >I can obviously save the ID in a temp file which can be read by all
> >the pages needing it.
> >
> >Al....
> >
> >-- PHP General Mailing List (http://www.php.net/) To unsubscribe,
> >visit: http://www.php.net/unsub.php
>
> There is a new law been passed in the UK that makes non-essential
> cookies opt-in only, so you must get permission in order to use them.

Good lord. I'm glad the U.S. Congress has not gotten together to pass
laws about how we build websites here. I'm not sure I could take
less-than-bright government bureaucrats telling me how to do the job of
programming. No offense, Ash, but you can keep your parliament.

Paul

--
Paul M. Foster
http://noferblatz.com
http://quillandmouse.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Mon, 2012-06-04 at 17:53 -0400, Paul M Foster wrote:

> On Sun, Jun 03, 2012 at 10:21:21PM +0100, Ashley Sheridan wrote:
>
> >
> >
> > Al <[email protected]> wrote:
> >
> > >Disabled cookies use to be a problem years ago. What's your
> > >experience these days.
> > >
> > >I need it for my session ID. As I read the docs, the old method of
> > >appending it to the URL is a security issue.
> > >
> > >I can obviously save the ID in a temp file which can be read by all
> > >the pages needing it.
> > >
> > >Al....
> > >
> > >-- PHP General Mailing List (http://www.php.net/) To unsubscribe,
> > >visit: http://www.php.net/unsub.php
> >
> > There is a new law been passed in the UK that makes non-essential
> > cookies opt-in only, so you must get permission in order to use them.
>
> Good lord. I'm glad the U.S. Congress has not gotten together to pass
> laws about how we build websites here. I'm not sure I could take
> less-than-bright government bureaucrats telling me how to do the job of
> programming. No offense, Ash, but you can keep your parliament.
>
> Paul
>
> --
> Paul M. Foster
> http://noferblatz.com
> http://quillandmouse.com
>


Yeah, it's been such a pain, as nobody over here is quite sure how the
hell it'll be enforced either, or if it even will be. It's also pretty
vague as to just where the line gets drawn. The official government
sites on this are pretty black and white, but don't clearly address the
grey areas. I think this is definitely a case of the persons making the
laws don't understand the technology involved, which sadly seems to be
the case across a lot of tech laws being passed world-wide of late :(

--
Thanks,
Ash
http://www.ashleysheridan.co.uk

On Tue, Jun 5, 2012 at 12:13 AM, Ashley Sheridan
<[email protected]> wrote:
> On Mon, 2012-06-04 at 17:53 -0400, Paul M Foster wrote:
>
>> On Sun, Jun 03, 2012 at 10:21:21PM +0100, Ashley Sheridan wrote:
>>
>> >
>> >
>> > Al <[email protected]> wrote:
>> >
>> > >Disabled cookies use to be a problem years ago.  What's your
>> > >experience these days.
>> > >
>> > >I need it for my session ID. As I read the docs, the old method of
>> > >appending it to the URL is a security issue.
>> > >
>> > >I can obviously save the ID in a temp file which can be read by all
>> > >the pages needing it.
>> > >
>> > >Al....
>> > >
>> > >-- PHP General Mailing List (http://www.php.net/) To unsubscribe,
>> > >visit: http://www.php.net/unsub.php
>> >
>> > There is a new law been passed in the UK that makes non-essential
>> > cookies opt-in only, so you must get permission in order to use them.
>>
>> Good lord. I'm glad the U.S. Congress has not gotten together to pass
>> laws about how we build websites here. I'm not sure I could take
>> less-than-bright government bureaucrats telling me how to do the job of
>> programming. No offense, Ash, but you can keep your parliament.
>>
>> Paul
>>
>> --
>> Paul M. Foster
>> http://noferblatz.com
>> http://quillandmouse.com
>>
>
>
> Yeah, it's been such a pain, as nobody over here is quite sure how the
> hell it'll be enforced either, or if it even will be. It's also pretty
> vague as to just where the line gets drawn. The official government
> sites on this are pretty black and white, but don't clearly address the
> grey areas. I think this is definitely a case of the persons making the
> laws don't understand the technology involved, which sadly seems to be
> the case across a lot of tech laws being passed world-wide of late :(
>

Yep, When this law was discussed, they were mostly talking about
completely banning cookies. Only later they figured out that there are
quite a few sites that can't live without cookies...

- Matijn

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Matijn Woudt wrote:
>> Yeah, it's been such a pain, as nobody over here is quite sure how the
>> > hell it'll be enforced either, or if it even will be. It's also pretty
>> > vague as to just where the line gets drawn. The official government
>> > sites on this are pretty black and white, but don't clearly address the
>> > grey areas. I think this is definitely a case of the persons making the
>> > laws don't understand the technology involved, which sadly seems to be
>> > the case across a lot of tech laws being passed world-wide of late:(
>> >
> Yep, When this law was discussed, they were mostly talking about
> completely banning cookies. Only later they figured out that there are
> quite a few sites that can't live without cookies...

Cookies for shopping baskets got flagged up early on and then people started to
realise that there were more good reasons for using the than bad ;)
The main 'grey' area is a session cookie which classified along with shopping
basket ones - which don't need specific permission - but then we are told we
should still ask? But we don't need to ask about shopping basket ones!

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Jun 3, 2012, at 5:21 PM, Ashley Sheridan wrote:
>
> There is a new law been passed in the UK that makes non-essential cookies opt-in only, so you must get permission in order to use them.

What's a non-essential cookie?

Cheers,

tedd

_____________________
tedd.sperling@gmail.com
http://sperling.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Jun 4, 2012, at 6:13 PM, Ashley Sheridan wrote:
>
> Yeah, it's been such a pain, as nobody over here is quite sure how the
> hell it'll be enforced either, or if it even will be. It's also pretty
> vague as to just where the line gets drawn. The official government
> sites on this are pretty black and white, but don't clearly address the
> grey areas. I think this is definitely a case of the persons making the
> laws don't understand the technology involved, which sadly seems to be
> the case across a lot of tech laws being passed world-wide of late :(
>
> --
> Thanks,
> Ash

This is what I put on my site to address the Cookie issue:

http://sperling.com/contact.php

Do you think it would be enough?

Cheers,

tedd


_____________________
tedd.sperling@gmail.com
http://sperling.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

On Tue, Jun 5, 2012 at 9:15 PM, Tedd Sperling <[email protected]> wrote:
> On Jun 3, 2012, at 5:21 PM, Ashley Sheridan wrote:
>>
>> There is a new law been passed in the UK that makes non-essential cookies opt-in only, so you must get permission in order to use them.
>
> What's a non-essential cookie?
>
> Cheers,
>
> tedd

A cookie that can be removed without the site loosing essential functionality.


On Tue, Jun 5, 2012 at 9:20 PM, Tedd Sperling <[email protected]> wrote:
> On Jun 4, 2012, at 6:13 PM, Ashley Sheridan wrote:
>>
>> Yeah, it's been such a pain, as nobody over here is quite sure how the
>> hell it'll be enforced either, or if it even will be. It's also pretty
>> vague as to just where the line gets drawn. The official government
>> sites on this are pretty black and white, but don't clearly address the
>> grey areas. I think this is definitely a case of the persons making the
>> laws don't understand the technology involved, which sadly seems to be
>> the case across a lot of tech laws being passed world-wide of late :(
>>
>> --
>> Thanks,
>> Ash
>
> This is what I put on my site to address the Cookie issue:
>
> http://sperling.com/contact.php
>
> Do you think it would be enough?
>
> Cheers,
>
> tedd
>

If the cookie is non-essential, you also need an option to 'opt-out'.

- Matijn

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php