Le 31/10/2018 à 16:32, Jacques Le Roux a écrit :
With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than
autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon.
I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They inherently
does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue as is,
because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year.
[1]
https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
I re-read above and the Benjamin's copy from " WP29pdf ".
It seems to me that autoUserLoginId and OFBiz.Visitor cookies don't fit in any
of these categories, and we don't inform the visitor about these cookies.
Deepak's proposition in OFBIZ-10639 does not allow to not consent. But I guess in this case it's the user's responsibility to quit the site before
login in and so we are covered.
Please chime in if you disagree
Jacques
