Thanks Deepak, Benjamin,
We are indeed only concerned by the ecommerce webapps (both ecommerce and ecomse). They are the sole to be public. The backend applications should not
be concerned.
Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID, possibly cookie.domain and maybe jstree* ones. I believe they all fall in the
exempt cases.
With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than
autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon.
I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They inherently
does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue as is,
because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year.
[1]
https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
Jacques
Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
Hello all,
just before you go in head over heels, please consider the following:
"However, some cookies are exempt from this requirement. Consent is
not required if the cookie is:
* used for the sole purpose of carrying out the transmission of a
communication, and
* strictly necessary in order for the provider of an information
society service explicitly required by the user to provide that
service.
Cookies clearly exempt from consent according to the EU advisory
body on data protection- WP29pdf
<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf>
include:
* *user‑input* cookies (session-id) such as first‑party cookies to
keep track of the user's input when filling online forms,
shopping carts, etc., for the duration of a session or
persistent cookies limited to a few hours in some cases
* *authentication* cookies, to identify the user once he has
logged in, for the duration of a session
* *user‑centric security* cookies, used to detect authentication
abuses, for a limited persistent duration
* *multimedia content player* cookies, used to store technical
data to play back video or audio content, for the duration of a
session
* *load‑balancing* cookies, for the duration of session
* *user‑interface customisation* cookies such as language or font
preferences, for the duration of a session (or slightly longer)
* *third‑party social plug‑in content‑sharing* cookies, for
logged‑in members of a social network."
(http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
Does OFBiz even set other cookies? If yes, for what are they needed?
Kind regards, Benjamin Jugl
On 31.10.18 13:11, Deepak Nigam wrote:
Hello All,
The Cookie Law is a piece of privacy legislation that requires websites to
get consent from visitors to store or retrieve any information on their
computer, smartphone or tablet. It was designed to protect online privacy,
by making consumers aware of how information about them is collected and
used online, and give them a choice to allow it or not.
The EU Cookie Legislation began as a directive from the European Union.
Some variation on the policy has since been adopted by all countries within
the EU.
The EU Cookie Legislation requires 4 actions from website owners who use
cookies:
1. When someone visits your website, you need to let them know that your
site uses cookies.
2. You need to provide detailed information regarding how that cookie data
will be utilized.
3. You need to provide visitors with some means of accepting or refusing
the use of cookies in your site.
4. If they refuse, you need to ensure that cookies will not be placed on
their machine.
For more information about EU cookie policy, please visit here
<http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
As this crucial feature is missing in OFBiz E-Commerce application, we
should work towards its implementation. There are numerous open-source
jQuery plugins available which we can use. Thoughts?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
