Advanced search  

News:

cpg1.5.44 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.42 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: CPG needs to comply with the new EU cookie Directive  (Read 5440 times)

0 Members and 1 Guest are viewing this topic.

papukaija

  • Contributor
  • Coppermine frequent poster
  • ***
  • Country: 00
  • Offline Offline
  • Posts: 333
CPG needs to comply with the new EU cookie Directive
« on: May 25, 2012, 03:50:16 PM »

The EU Cookie Directive (Directive 2009/136/EC) is an amendment of the Directive 2002/58/EC, which concerns the protection of data and privacy on the web. The Article 5.3 states the following on the use of cookies:

Quote
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;

The new UK law based on the above Directive will become effective from tomorrow. As a live example, check out the ico.gov.uk which displays a top banner asking for allowing cookies.

It's clear that the cookies used by CPG don't fall under the category of "strictly necessary" expect the login status. Settings options in a cookie, like album sortings, toggling of picture's info box, language,etc need a consent from the user. As of now CPG doesn't not ask my permission to set a cookie and is thus illegal in the EU.

Fixing this bug (I consider legal issues as bugs and not feature requests):
Investigate whether a cookie is really needed for non-login status related features, if:
  • yes: need to add, as a core feature/plugin, a way to ask user's permission for the cookies
  • not: limit the cookie to the login status only

Until this bug is fixed I need to ask my site's visitors' permission for the cookies just because of CPG, as all other software on my site is fixed or in the process of being fixed.

This Directive is a nightmare for web developers but the law is the law.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #1 on: May 29, 2012, 03:05:58 PM »

Adding such a check shouldn't be that hard, but I think it's currently not possible to do it with a plugin.

I assume adding a new function like cpg_setcookie, which adds some additional checks and shows something like your example site will be the best solution.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #2 on: May 29, 2012, 04:49:41 PM »

Prepared code for user cookie consent in SVN revision 8433. Now we just need a plugin that displays a message like ico.gov.uk if the "accept cookies" cookie is not set which does something like
Code: [Select]
setcookie($CONFIG['cookie_name'].'_accept_cookies', true, time() + (CPG_WEEK*52), $CONFIG['cookie_path']);on consent.

I'll create it as soon as possible, probably tomorrow.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #3 on: June 01, 2012, 12:15:44 PM »

Changed the approach and cookie name in SVN revision 8439. Coppermine now checks for the cookie name $CONFIG['cookie_name'].'_cookies_allowed'
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #4 on: June 01, 2012, 12:47:39 PM »

Plugin (still in development) can be found here.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #5 on: June 01, 2012, 05:09:01 PM »

Feel free to test the plugin, as far as I can tell it already works as expected. Don't forget to apply the above mentioned changes from the SVN repository and then update your Coppermine database (update.php). Additionally, you have to replace
Code: [Select]
$plugin_cpg_version = array('min' => '1.5.22');with
Code: [Select]
$plugin_cpg_version = array('min' => '1.5.20');in configuration.php to be able to install the plugin at the plugin manager.
Logged

papukaija

  • Contributor
  • Coppermine frequent poster
  • ***
  • Country: 00
  • Offline Offline
  • Posts: 333
Re: CPG needs to comply with the new EU cookie Directive
« Reply #6 on: June 02, 2012, 05:04:34 PM »

Thank you for working on this so quickly and making a great plugin. There's just few things that I'd change. Firstly, the session cookies fall IMO under the category of "strictly necessary" (UK's ICO consider shopping baskets, etc as part of this category too) so I think it's safe to exclude them from the consent as otherwise the login won't work. Or is the session cookie used for something else than just the login status?

I also noticed that you're going to add some kind of "don't show this message again" link. For a short-run fix, what about a jQuery hide link or auto-hide (in 1 minute, for example)? I've also noticed that some websites remember the hidden status of the consent box and thus denial of cookies by a cookie... Finally, is it possible to make the "32 bit MD5 hash" translateable?

Otherwise, the plugin works very well. I've attached the Finnish translation to this message.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #7 on: June 20, 2012, 09:04:42 AM »

the session cookies fall IMO under the category of "strictly necessary" (UK's ICO consider shopping baskets, etc as part of this category too) so I think it's safe to exclude them from the consent as otherwise the login won't work.
For public accessible galleries the session cookie isn't necessary to provide the service IMHO. I'm no lawyer and I don't see a reason why we should care about users who fear cookies.


a jQuery hide link or auto-hide (in 1 minute, for example)?
Never heard of that and don't know how it's supposed to work. Do you have some links?


is it possible to make the "32 bit MD5 hash" translateable?
Sure. But maybe someone has also a better (= less technically) explanation in general, like "32 digits string"?


Thank you for your contribution.
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4281
    • Windsurf.me
Re: CPG needs to comply with the new EU cookie Directive
« Reply #8 on: June 20, 2012, 11:02:23 AM »

My personal take on this is it is not up to the application providor to provide the warning messages or checks. You as the webmaster should decide on your take on this and how you want to warn or deal with the cookies. IMHO, we should provide a list of cookies we set and what they do but that is as far as it should go.

This is especially so as CPG is often only a part of a website, not the whole website. In that instance we do not need a warning for each application the website loads. Not trying to put down what Andre is creating here with a plugin, that is a great idea. I just think that it should not be part of the core nore should CPG be under any obligation to provide scripts to advise users regarding the new laws. There are hundreds of free scripts to provide the message for you which you simply need to add to your theme if required.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #9 on: June 20, 2012, 11:44:50 AM »

As far as I understand that directive nobody is allowed to store cookies without the users' consent. It's too late to display a message with your theme, as Coppermine already created at least 2 cookies at that point (the session cookie and the data cookie). It's up to the webmaster if he wants to use the plugin (which disables all Coppermine core cookies by default), display a message via the theme engine, use a separate page before the Coppermine gallery is displayed or ignore the directive generally.

I think we should provide a possibility to comply the EU directive (e.g. for Coppermine gallery-only websites and people who don't want to mess with that stuff themselves), especially as the plugin in combination with the code change already works.
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4281
    • Windsurf.me
Re: CPG needs to comply with the new EU cookie Directive
« Reply #10 on: June 20, 2012, 01:57:20 PM »

I think we are working towards the same aim Andre, a plugin that users can choose to use or not. What is also interesting to note is a) how few sites have yet to comply and b) how many of those sites that suggest they comply actually do not as many place cookies before passing on the message especially things like GA etc.

Not exactly well thought through this new law but that is a discussion to be held elsewhere.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

papukaija

  • Contributor
  • Coppermine frequent poster
  • ***
  • Country: 00
  • Offline Offline
  • Posts: 333
Re: Re: CPG needs to comply with the new EU cookie Directive
« Reply #11 on: June 20, 2012, 06:45:34 PM »

Never heard of that and don't know how it's supposed to work. Do you have some links?
An element can be hidden by the .hide() function. Making it automatic is a bit more complicated, but this answer on Stack Overflow has a working code.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #12 on: June 20, 2012, 07:39:47 PM »

That doesn't help, as the message will still be displayed on each page load. Additionally I don't see an advantage if the message hides itself after 1 minute. What we want is that the users concern themselves with that topic and then actively decide if they accept cookies or not.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #13 on: June 29, 2012, 03:46:02 PM »

Please check SVN revision 8454. It adds the album password cookie and made the "32 bit MD5 hash" string translatable.
Logged

papukaija

  • Contributor
  • Coppermine frequent poster
  • ***
  • Country: 00
  • Offline Offline
  • Posts: 333
Re: CPG needs to comply with the new EU cookie Directive
« Reply #14 on: July 18, 2012, 07:07:56 PM »

The new revision works perfectly! Attached is the updated translation.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #15 on: July 19, 2012, 04:53:43 PM »

Attached is the updated translation.

Committed in SVN revision 8474.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15249
Re: CPG needs to comply with the new EU cookie Directive
« Reply #17 on: April 18, 2013, 01:25:24 PM »

Please post everything regarding the plugin (contributions, bugs, etc.) in the plugin announcement thread. Thank you.
Logged
Pages: [1]   Go Up
 

Page created in 0.078 seconds with 19 queries.