On 27/05/11 14:18, Hanne Moa wrote: > "From 26th May 2011 websites in the UK need to ask for permission > before they can set cookies not required for ‘essential’ means" > > http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ > > What cookies in Django are "essential"? When not logged in I see that > the csrf-token cookie is set, and when logged in there's the > session-cookie. Should one strive only to use csrf-protection (and > thus the cookie) only when it is needed? Are there other cookies set > by contrib apps? Should there be something about this in the docs? > "<list> cookies is essential, you need need to get consent for these > other ones: <list>"
As the silktide blog points out [1], the ICO site itself [2] is still setting an ASP.NET session cookie before any 'opt-in', and clearly considers this 'essential'. It is also clearly *not* essential for some users - I could browse the site perfectly well with cookies blocked. So, they obviously consider it 'essential' for technological reasons - they do not have the technological/financial resources to produce a solution that doesn't automatically set a session cookie. On that grounds, we can easily argue the same for our sessions cookies. We can also argue that the CSRF cookie is essential for security reasons. It is also only sent when necessary - if you don't have a form that uses the token, it isn't sent. The only other cookie we send, as far as I know, is the language cookie. My interpretation of what I've read is that a site has to get consent for setting that. In theory I guess a site might need permission any time it puts anything in the session, since that is equivalent to setting a cookie. It's fairly depressing to think about the amount of money wasted by my government and EU government on making/complying with this new law, which will do nothing but waste the time and money of many more people. I'm hoping, however, that the first time this is properly tested in court, the law will be forced to turn into something more rational. Also, the previous set of UK laws regarding cookies were basically ignored by everyone. They apparently stated that you had to: * tell people how you use cookies, and * tell them how they could ‘opt out’ if they objected. I don't think I've been involved with making a site that was compliant with that, and I've never heard about anyone being prosecuted under those laws. Regards, Luke [1] http://blog.silktide.com/2011/05/cookie-law-delayed-for-one-year-first-example-of-new-laws-in-effect/ [2] http://www.ico.gov.uk/ -- "The one day you'd sell your soul for something, souls are a glut." Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.