forum.coppermine-gallery.net

Support => cpg1.5.x Support => cpg1.5 miscellaneous => Topic started by: papukaija on May 25, 2012, 03:50:16 pm

Title: CPG needs to comply with the new EU cookie Directive
Post by: papukaija on May 25, 2012, 03:50:16 pm
The EU Cookie Directive (Directive 2009/136/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32009L0136:EN:NOT)) is an amendment of the Directive 2002/58/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT), which concerns the protection of data and privacy on the web. The Article 5.3 states the following on the use of cookies:

Quote
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;

The new UK law based on the above Directive will become effective from tomorrow. As a live example, check out the ico.gov.uk (http://ico.gov.uk) which displays a top banner asking for allowing cookies.

It's clear that the cookies used by CPG don't fall under the category of "strictly necessary" expect the login status. Settings options in a cookie, like album sortings, toggling of picture's info box, language,etc need a consent from the user. As of now CPG doesn't not ask my permission to set a cookie and is thus illegal in the EU.

Fixing this bug (I consider legal issues as bugs and not feature requests):
Investigate whether a cookie is really needed for non-login status related features, if:

Until this bug is fixed I need to ask my site's visitors' permission for the cookies just because of CPG, as all other software on my site is fixed or in the process of being fixed.

This Directive is a nightmare for web developers but the law is the law.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on May 29, 2012, 03:05:58 pm
Adding such a check shouldn't be that hard, but I think it's currently not possible to do it with a plugin.

I assume adding a new function like cpg_setcookie, which adds some additional checks and shows something like your example site will be the best solution.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on May 29, 2012, 04:49:41 pm
Prepared code for user cookie consent in SVN revision 8433. Now we just need a plugin that displays a message like ico.gov.uk if the "accept cookies" cookie is not set which does something like
Code: [Select]
setcookie($CONFIG['cookie_name'].'_accept_cookies', true, time() + (CPG_WEEK*52), $CONFIG['cookie_path']);on consent.

I'll create it as soon as possible, probably tomorrow.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 01, 2012, 12:15:44 pm
Changed the approach and cookie name in SVN revision 8439. Coppermine now checks for the cookie name $CONFIG['cookie_name'].'_cookies_allowed'
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 01, 2012, 12:47:39 pm
Plugin (still in development) can be found here (http://coppermine.svn.sourceforge.net/viewvc/coppermine/branches/cpg1.5.x/plugins/cookie_consent/).
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 01, 2012, 05:09:01 pm
Feel free to test the plugin, as far as I can tell it already works as expected. Don't forget to apply the above mentioned changes from the SVN repository and then update your Coppermine database (update.php). Additionally, you have to replace
Code: [Select]
$plugin_cpg_version = array('min' => '1.5.22');with
Code: [Select]
$plugin_cpg_version = array('min' => '1.5.20');in configuration.php to be able to install the plugin at the plugin manager.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: papukaija on June 02, 2012, 05:04:34 pm
Thank you for working on this so quickly and making a great plugin. There's just few things that I'd change. Firstly, the session cookies fall IMO under the category of "strictly necessary" (UK's ICO consider shopping baskets, etc as part of this category too) so I think it's safe to exclude them from the consent as otherwise the login won't work. Or is the session cookie used for something else than just the login status?

I also noticed that you're going to add some kind of "don't show this message again" link. For a short-run fix, what about a jQuery hide link or auto-hide (in 1 minute, for example)? I've also noticed that some websites remember the hidden status of the consent box and thus denial of cookies by a cookie... Finally, is it possible to make the "32 bit MD5 hash" translateable?

Otherwise, the plugin works very well. I've attached the Finnish translation to this message.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 20, 2012, 09:04:42 am
the session cookies fall IMO under the category of "strictly necessary" (UK's ICO consider shopping baskets, etc as part of this category too) so I think it's safe to exclude them from the consent as otherwise the login won't work.
For public accessible galleries the session cookie isn't necessary to provide the service IMHO. I'm no lawyer and I don't see a reason why we should care about users who fear cookies.


a jQuery hide link or auto-hide (in 1 minute, for example)?
Never heard of that and don't know how it's supposed to work. Do you have some links?


is it possible to make the "32 bit MD5 hash" translateable?
Sure. But maybe someone has also a better (= less technically) explanation in general, like "32 digits string"?


Thank you for your contribution.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Phill Luckhurst on June 20, 2012, 11:02:23 am
My personal take on this is it is not up to the application providor to provide the warning messages or checks. You as the webmaster should decide on your take on this and how you want to warn or deal with the cookies. IMHO, we should provide a list of cookies we set and what they do but that is as far as it should go.

This is especially so as CPG is often only a part of a website, not the whole website. In that instance we do not need a warning for each application the website loads. Not trying to put down what Andre is creating here with a plugin, that is a great idea. I just think that it should not be part of the core nore should CPG be under any obligation to provide scripts to advise users regarding the new laws. There are hundreds of free scripts to provide the message for you which you simply need to add to your theme if required.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 20, 2012, 11:44:50 am
As far as I understand that directive nobody is allowed to store cookies without the users' consent. It's too late to display a message with your theme, as Coppermine already created at least 2 cookies at that point (the session cookie and the data cookie). It's up to the webmaster if he wants to use the plugin (which disables all Coppermine core cookies by default), display a message via the theme engine, use a separate page before the Coppermine gallery is displayed or ignore the directive generally.

I think we should provide a possibility to comply the EU directive (e.g. for Coppermine gallery-only websites and people who don't want to mess with that stuff themselves), especially as the plugin in combination with the code change already works.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Phill Luckhurst on June 20, 2012, 01:57:20 pm
I think we are working towards the same aim Andre, a plugin that users can choose to use or not. What is also interesting to note is a) how few sites have yet to comply and b) how many of those sites that suggest they comply actually do not as many place cookies before passing on the message especially things like GA etc.

Not exactly well thought through this new law but that is a discussion to be held elsewhere.
Title: Re: Re: CPG needs to comply with the new EU cookie Directive
Post by: papukaija on June 20, 2012, 06:45:34 pm
Never heard of that and don't know how it's supposed to work. Do you have some links?
An element can be hidden by the .hide() (http://api.jquery.com/hide/) function. Making it automatic is a bit more complicated, but this answer  (http://stackoverflow.com/a/683372)on Stack Overflow has a working code.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 20, 2012, 07:39:47 pm
That doesn't help, as the message will still be displayed on each page load. Additionally I don't see an advantage if the message hides itself after 1 minute. What we want is that the users concern themselves with that topic and then actively decide if they accept cookies or not.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on June 29, 2012, 03:46:02 pm
Please check SVN revision 8454. It adds the album password cookie and made the "32 bit MD5 hash" string translatable.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: papukaija on July 18, 2012, 07:07:56 pm
The new revision works perfectly! Attached is the updated translation.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on July 19, 2012, 04:53:43 pm
Attached is the updated translation.

Committed in SVN revision 8474.
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on April 18, 2013, 10:02:45 am
Plugin announcement thread (http://forum.coppermine-gallery.net/index.php/topic,76197.msg367763.html#msg367763).
Title: Re: CPG needs to comply with the new EU cookie Directive
Post by: Αndré on April 18, 2013, 01:25:24 pm
Please post everything regarding the plugin (contributions, bugs, etc.) in the plugin announcement thread. Thank you.