You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Deepak Nigam <de...@gmail.com> on 2018/11/01 09:32:53 UTC
Re: Cookie Consent In E-Coomerce
Thanks, Benjamin, Jacques.
Definitely, we will move forward only after studying OFBiz cookies in
depth. I just put initial thought came to my mind.
On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Thanks Deepak, Benjamin,
>
> We are indeed only concerned by the ecommerce webapps (both ecommerce and
> ecomse). They are the sole to be public. The backend applications should
> not
> be concerned.
>
> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
> possibly cookie.domain and maybe jstree* ones. I believe they all fall in
> the
> exempt cases.
>
> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
> doing so I spotted that securedLoginId has the same duration (1 year) than
> autoUserLoginId. I have reduced it to the browser session so it also falls
> in the exempt cases. I'll commit that very soon.
>
> I have not read all the details but I believe the only ones we should
> think about are the autoUserLoginId and OFBiz.Visitor cookies. They
> inherently
> does not contain party data, but from the visitorId or userLoginId fields
> it's possible to get to the party data. Not sure it's an issue as is,
> because AFAIK we use only first‑party cookies[1] but the problem seems
> their durations: one year.
>
> [1]
> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>
> Jacques
>
> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
> > Hello all,
> >
> > just before you go in head over heels, please consider the following:
> >
> > "However, some cookies are exempt from this requirement. Consent is
> > not required if the cookie is:
> >
> > * used for the sole purpose of carrying out the transmission of a
> > communication, and
> > * strictly necessary in order for the provider of an information
> > society service explicitly required by the user to provide that
> > service.
> >
> > Cookies clearly exempt from consent according to the EU advisory
> > body on data protection- WP29pdf
> > <
> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
> > include:
> >
> > * *user‑input* cookies (session-id) such as first‑party cookies to
> > keep track of the user's input when filling online forms,
> > shopping carts, etc., for the duration of a session or
> > persistent cookies limited to a few hours in some cases
> > * *authentication* cookies, to identify the user once he has
> > logged in, for the duration of a session
> > * *user‑centric security* cookies, used to detect authentication
> > abuses, for a limited persistent duration
> > * *multimedia content player* cookies, used to store technical
> > data to play back video or audio content, for the duration of a
> > session
> > * *load‑balancing* cookies, for the duration of session
> > * *user‑interface customisation* cookies such as language or font
> > preferences, for the duration of a session (or slightly longer)
> > * *third‑party social plug‑in content‑sharing* cookies, for
> > logged‑in members of a social network."
> >
> > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
> >
> > Does OFBiz even set other cookies? If yes, for what are they needed?
> >
> > Kind regards, Benjamin Jugl
> >
> >
> >
> > On 31.10.18 13:11, Deepak Nigam wrote:
> >> Hello All,
> >>
> >> The Cookie Law is a piece of privacy legislation that requires websites
> to
> >> get consent from visitors to store or retrieve any information on their
> >> computer, smartphone or tablet. It was designed to protect online
> privacy,
> >> by making consumers aware of how information about them is collected and
> >> used online, and give them a choice to allow it or not.
> >>
> >> The EU Cookie Legislation began as a directive from the European Union.
> >> Some variation on the policy has since been adopted by all countries
> within
> >> the EU.
> >>
> >> The EU Cookie Legislation requires 4 actions from website owners who use
> >> cookies:
> >> 1. When someone visits your website, you need to let them know that your
> >> site uses cookies.
> >> 2. You need to provide detailed information regarding how that cookie
> data
> >> will be utilized.
> >> 3. You need to provide visitors with some means of accepting or refusing
> >> the use of cookies in your site.
> >> 4. If they refuse, you need to ensure that cookies will not be placed on
> >> their machine.
> >>
> >> For more information about EU cookie policy, please visit here
> >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
> >>
> >> As this crucial feature is missing in OFBiz E-Commerce application, we
> >> should work towards its implementation. There are numerous open-source
> >> jQuery plugins available which we can use. Thoughts?
> >>
> >>
> >> Thanks & Regards
> >> --
> >> Deepak Nigam
> >> HotWax Systems Pvt. Ltd.
> >>
> >
> >
>
>
Re: Cookie Consent In E-Coomerce
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi,
Deepak has provided a working patch where he removed the 'Customized Cookies' feature of https://github.com/ketanmistry/ihavecookies
To compare apply the patch (directly on ecommerce component for now) load ecommerce in OFBiz and compare with https://iamketan.com.au/
I'm unsure it would be helpful but should not our users be able by default to have all the features?
Thanks
Jacques
Le 05/11/2018 à 05:43, Deepak Nigam a écrit :
> FYI, here is the Jira ticket
> <https://issues.apache.org/jira/browse/OFBIZ-10639> for further discussion
> and research.
>
> On Thu, Nov 1, 2018 at 3:02 PM Deepak Nigam <de...@gmail.com>
> wrote:
>
>> Thanks, Benjamin, Jacques.
>>
>> Definitely, we will move forward only after studying OFBiz cookies in
>> depth. I just put initial thought came to my mind.
>>
>>
>>
>> On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>
>>> Thanks Deepak, Benjamin,
>>>
>>> We are indeed only concerned by the ecommerce webapps (both ecommerce and
>>> ecomse). They are the sole to be public. The backend applications should
>>> not
>>> be concerned.
>>>
>>> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
>>> possibly cookie.domain and maybe jstree* ones. I believe they all fall in
>>> the
>>> exempt cases.
>>>
>>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
>>> doing so I spotted that securedLoginId has the same duration (1 year) than
>>> autoUserLoginId. I have reduced it to the browser session so it also
>>> falls in the exempt cases. I'll commit that very soon.
>>>
>>> I have not read all the details but I believe the only ones we should
>>> think about are the autoUserLoginId and OFBiz.Visitor cookies. They
>>> inherently
>>> does not contain party data, but from the visitorId or userLoginId fields
>>> it's possible to get to the party data. Not sure it's an issue as is,
>>> because AFAIK we use only first‑party cookies[1] but the problem seems
>>> their durations: one year.
>>>
>>> [1]
>>> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>>>
>>> Jacques
>>>
>>> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
>>>> Hello all,
>>>>
>>>> just before you go in head over heels, please consider the following:
>>>>
>>>> "However, some cookies are exempt from this requirement. Consent is
>>>> not required if the cookie is:
>>>>
>>>> * used for the sole purpose of carrying out the transmission of a
>>>> communication, and
>>>> * strictly necessary in order for the provider of an information
>>>> society service explicitly required by the user to provide that
>>>> service.
>>>>
>>>> Cookies clearly exempt from consent according to the EU advisory
>>>> body on data protection- WP29pdf
>>>> <
>>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
>>>> include:
>>>>
>>>> * *user‑input* cookies (session-id) such as first‑party cookies to
>>>> keep track of the user's input when filling online forms,
>>>> shopping carts, etc., for the duration of a session or
>>>> persistent cookies limited to a few hours in some cases
>>>> * *authentication* cookies, to identify the user once he has
>>>> logged in, for the duration of a session
>>>> * *user‑centric security* cookies, used to detect authentication
>>>> abuses, for a limited persistent duration
>>>> * *multimedia content player* cookies, used to store technical
>>>> data to play back video or audio content, for the duration of a
>>>> session
>>>> * *load‑balancing* cookies, for the duration of session
>>>> * *user‑interface customisation* cookies such as language or font
>>>> preferences, for the duration of a session (or slightly longer)
>>>> * *third‑party social plug‑in content‑sharing* cookies, for
>>>> logged‑in members of a social network."
>>>>
>>>> (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
>>>>
>>>> Does OFBiz even set other cookies? If yes, for what are they needed?
>>>>
>>>> Kind regards, Benjamin Jugl
>>>>
>>>>
>>>>
>>>> On 31.10.18 13:11, Deepak Nigam wrote:
>>>>> Hello All,
>>>>>
>>>>> The Cookie Law is a piece of privacy legislation that requires
>>> websites to
>>>>> get consent from visitors to store or retrieve any information on their
>>>>> computer, smartphone or tablet. It was designed to protect online
>>> privacy,
>>>>> by making consumers aware of how information about them is collected
>>> and
>>>>> used online, and give them a choice to allow it or not.
>>>>>
>>>>> The EU Cookie Legislation began as a directive from the European Union.
>>>>> Some variation on the policy has since been adopted by all countries
>>> within
>>>>> the EU.
>>>>>
>>>>> The EU Cookie Legislation requires 4 actions from website owners who
>>> use
>>>>> cookies:
>>>>> 1. When someone visits your website, you need to let them know that
>>> your
>>>>> site uses cookies.
>>>>> 2. You need to provide detailed information regarding how that cookie
>>> data
>>>>> will be utilized.
>>>>> 3. You need to provide visitors with some means of accepting or
>>> refusing
>>>>> the use of cookies in your site.
>>>>> 4. If they refuse, you need to ensure that cookies will not be placed
>>> on
>>>>> their machine.
>>>>>
>>>>> For more information about EU cookie policy, please visit here
>>>>> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
>>>>>
>>>>> As this crucial feature is missing in OFBiz E-Commerce application, we
>>>>> should work towards its implementation. There are numerous open-source
>>>>> jQuery plugins available which we can use. Thoughts?
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>> --
>>>>> Deepak Nigam
>>>>> HotWax Systems Pvt. Ltd.
>>>>>
>>>>
>>>
Re: Cookie Consent In E-Coomerce
Posted by Deepak Nigam <de...@gmail.com>.
FYI, here is the Jira ticket
<https://issues.apache.org/jira/browse/OFBIZ-10639> for further discussion
and research.
On Thu, Nov 1, 2018 at 3:02 PM Deepak Nigam <de...@gmail.com>
wrote:
> Thanks, Benjamin, Jacques.
>
> Definitely, we will move forward only after studying OFBiz cookies in
> depth. I just put initial thought came to my mind.
>
>
>
> On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Thanks Deepak, Benjamin,
>>
>> We are indeed only concerned by the ecommerce webapps (both ecommerce and
>> ecomse). They are the sole to be public. The backend applications should
>> not
>> be concerned.
>>
>> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID,
>> possibly cookie.domain and maybe jstree* ones. I believe they all fall in
>> the
>> exempt cases.
>>
>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While
>> doing so I spotted that securedLoginId has the same duration (1 year) than
>> autoUserLoginId. I have reduced it to the browser session so it also
>> falls in the exempt cases. I'll commit that very soon.
>>
>> I have not read all the details but I believe the only ones we should
>> think about are the autoUserLoginId and OFBiz.Visitor cookies. They
>> inherently
>> does not contain party data, but from the visitorId or userLoginId fields
>> it's possible to get to the party data. Not sure it's an issue as is,
>> because AFAIK we use only first‑party cookies[1] but the problem seems
>> their durations: one year.
>>
>> [1]
>> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies
>>
>> Jacques
>>
>> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit :
>> > Hello all,
>> >
>> > just before you go in head over heels, please consider the following:
>> >
>> > "However, some cookies are exempt from this requirement. Consent is
>> > not required if the cookie is:
>> >
>> > * used for the sole purpose of carrying out the transmission of a
>> > communication, and
>> > * strictly necessary in order for the provider of an information
>> > society service explicitly required by the user to provide that
>> > service.
>> >
>> > Cookies clearly exempt from consent according to the EU advisory
>> > body on data protection- WP29pdf
>> > <
>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
>> > include:
>> >
>> > * *user‑input* cookies (session-id) such as first‑party cookies to
>> > keep track of the user's input when filling online forms,
>> > shopping carts, etc., for the duration of a session or
>> > persistent cookies limited to a few hours in some cases
>> > * *authentication* cookies, to identify the user once he has
>> > logged in, for the duration of a session
>> > * *user‑centric security* cookies, used to detect authentication
>> > abuses, for a limited persistent duration
>> > * *multimedia content player* cookies, used to store technical
>> > data to play back video or audio content, for the duration of a
>> > session
>> > * *load‑balancing* cookies, for the duration of session
>> > * *user‑interface customisation* cookies such as language or font
>> > preferences, for the duration of a session (or slightly longer)
>> > * *third‑party social plug‑in content‑sharing* cookies, for
>> > logged‑in members of a social network."
>> >
>> > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
>> >
>> > Does OFBiz even set other cookies? If yes, for what are they needed?
>> >
>> > Kind regards, Benjamin Jugl
>> >
>> >
>> >
>> > On 31.10.18 13:11, Deepak Nigam wrote:
>> >> Hello All,
>> >>
>> >> The Cookie Law is a piece of privacy legislation that requires
>> websites to
>> >> get consent from visitors to store or retrieve any information on their
>> >> computer, smartphone or tablet. It was designed to protect online
>> privacy,
>> >> by making consumers aware of how information about them is collected
>> and
>> >> used online, and give them a choice to allow it or not.
>> >>
>> >> The EU Cookie Legislation began as a directive from the European Union.
>> >> Some variation on the policy has since been adopted by all countries
>> within
>> >> the EU.
>> >>
>> >> The EU Cookie Legislation requires 4 actions from website owners who
>> use
>> >> cookies:
>> >> 1. When someone visits your website, you need to let them know that
>> your
>> >> site uses cookies.
>> >> 2. You need to provide detailed information regarding how that cookie
>> data
>> >> will be utilized.
>> >> 3. You need to provide visitors with some means of accepting or
>> refusing
>> >> the use of cookies in your site.
>> >> 4. If they refuse, you need to ensure that cookies will not be placed
>> on
>> >> their machine.
>> >>
>> >> For more information about EU cookie policy, please visit here
>> >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>.
>> >>
>> >> As this crucial feature is missing in OFBiz E-Commerce application, we
>> >> should work towards its implementation. There are numerous open-source
>> >> jQuery plugins available which we can use. Thoughts?
>> >>
>> >>
>> >> Thanks & Regards
>> >> --
>> >> Deepak Nigam
>> >> HotWax Systems Pvt. Ltd.
>> >>
>> >
>> >
>>
>>