You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2019/06/15 09:54:01 UTC
Re: Cookie Consent In E-Coomerce
Le 31/10/2018 à 16:32, Jacques Le Roux a écrit :
> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than
> autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon.
>
> I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They inherently
> does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue as is,
> because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year.
>
> [1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
I re-read above and the Benjamin's copy from " WP29pdf ".
It seems to me that autoUserLoginId and OFBiz.Visitor cookies don't fit in any of these categories, and we don't inform the visitor about these cookies.
Deepak's proposition in OFBIZ-10639 does not allow to not consent. But I guess in this case it's the user's responsibility to quit the site before
login in and so we are covered.
Please chime in if you disagree
Jacques
Re: Cookie Consent In E-Coomerce
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 15/06/2019 à 11:54, Jacques Le Roux a écrit :
> Le 31/10/2018 à 16:32, Jacques Le Roux a écrit :
>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than
>> autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon.
>>
>> I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They
>> inherently does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue
>> as is, because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year.
>>
>> [1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>
> I re-read above and the Benjamin's copy from " WP29pdf ".
>
> It seems to me that autoUserLoginId and OFBiz.Visitor cookies don't fit in any of these categories, and we don't inform the visitor about these
> cookies.
> Deepak's proposition in OFBIZ-10639 does not allow to not consent. But I guess in this case it's the user's responsibility to quit the site before
> login in and so we are covered.
>
> Please chime in if you disagree
>
> Jacques
>
>
Only stupid never change their minds. I'd finally prefer that we force users to make a choice (accept or not cookies) before letting them in.
Jacques