Why get unregistered forum visitors persistent cookies?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
Post Reply
Knubbi
Registered User
Posts: 81
Joined: Mon Jul 07, 2003 11:55 am

Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Fri Oct 04, 2019 7:39 am

Even if I am not logged in as a user, just by visiting a PHPBB powered forum, it places 3 persistent cookies, each with a 1 week expiration:
2019-10-04_0939.png
Due to latest EU legislation we have to inform visitors about use of cookies and I wonder why a persistent cookie is necessary for visitors.

What are they used for (for non-registered visitors) and can I disable them?

Your help would be very much appreciated.

User avatar
AmigoJack
Registered User
Posts: 5613
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by AmigoJack » Fri Oct 04, 2019 8:09 am

Knubbi wrote:
Fri Oct 04, 2019 7:39 am
I wonder why a persistent cookie is necessary for visitors.
In fact _u and _k aren't necessary for guests, as defaults can be assumed and I have no idea why phpBB's code still acts this way. Lazyness, I guess. The _sid is for the session handling, a common internet practice.

Knubbi wrote:
Fri Oct 04, 2019 7:39 am
What are they used for
Have a read on Re: What is the list of cookies that phpBB uses ? where someone found out years before that users need to be informed.

Knubbi wrote:
Fri Oct 04, 2019 7:39 am
can I disable them?
Yes, thru your internet browser settings. A phpBB installation also works without cookies for guests, but logging in becomes impossible then.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
david63
Registered User
Posts: 16535
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by david63 » Fri Oct 04, 2019 9:31 am

Knubbi wrote:
Fri Oct 04, 2019 7:39 am
Due to latest EU legislation we have to inform visitors about use of cookies
That is not strictly true. You do not have to notify them about cookies that are required for the operation of the site. Whether these are is perhaps the topic for another discussion.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Knubbi
Registered User
Posts: 81
Joined: Mon Jul 07, 2003 11:55 am

Re: Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Fri Oct 04, 2019 10:04 am

Thank you for your reply, but...

1. AFAIK, we need to inform about the necessity and expiration for any cookie used.

2. The "_sid" session cookie does not need to be persistent but just a session cookie (which is deleted after the session). However, PHPBB writes a persistent cookie instead of a session cookie. The problem: Such cookie could be used for tracking. I wish you good luck to explain to a 60yo judge, that you don't. He will simply ask you "ok, so why is it persistent then?! You can use it for tracking and so you probably do and everything you say is a lame excuse". Bam, say farewell to $10k for a lost case.

It would be really great, if cookie use in PHPBB could be cleaned up to avoid unnecessary documentation, thus unnecessary confusion and/or risk of legal issues.

Reading all the topics about gdpr and cookiea and the loose way, PHPBB uses cookies, I have the feeling, that the PHPBB staff is widely unaware of the strict legal requirements. I am not defending the ridiculousness of strange legislation at all but we have to act correspondingly to avoid legal issues.

At least in Germany, it seems to quite a game to sue others for the tiniest infringement of overly formal requirements. The recent highest EU court decision is the best example: The lawsuit debated whether the cookie consent notice itself has to inform about the lifetime of a cookie (it now has to!) and if the cookie consent check box can be checked by default (it must not!).

Such topics make many highly paid adults spending much time and piles of paper in reality. Please help us avoiding it.

User avatar
david63
Registered User
Posts: 16535
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by david63 » Fri Oct 04, 2019 10:10 am

phpBB has by default a Cookie notice which the Management of phpBB believe covers the legal requirement (I will not start a discussion about that here as it has been "done to death" in several other topics). There are also several extensions (one of which is mine) that deal with GDPR compliance.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Knubbi
Registered User
Posts: 81
Joined: Mon Jul 07, 2003 11:55 am

Re: Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Fri Oct 04, 2019 10:20 am

If you read the EU court decision you would find that any such cookie consent notification is not sufficient anymore:
https://www.thedrum.com/news/2019/10/02 ... under-gdpr

The sheer number of debates could give you an indication that there are issues with PHPBB in this regard, but you have the right not to care about it.

Back to track: PHPBB uses cookies in an unnecessary way. What would be the best place for a dev suggesting to fix that, please?

User avatar
david63
Registered User
Posts: 16535
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by david63 » Fri Oct 04, 2019 10:36 am

Knubbi wrote:
Fri Oct 04, 2019 10:20 am
If you read the EU court decision you would find that any such cookie consent notification is not sufficient anymore:
That form of consent is not present in either phpBB default nor any of the extensions that I have seen. Since 2018 consent has been explicit not implicit and has complied with that ruling.
Knubbi wrote:
Fri Oct 04, 2019 10:20 am
but you have the right not to care about it.
Please not not make assertions that you know nothing about. If I did not care about it then I would not have spent three months of my life creating the extension that I did.
Knubbi wrote:
Fri Oct 04, 2019 10:20 am
What would be the best place for a dev suggesting to fix that,
Report it in the Bug Tracker
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Knubbi
Registered User
Posts: 81
Joined: Mon Jul 07, 2003 11:55 am

Re: Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Fri Oct 04, 2019 10:52 am

No offense intented. I thank you for your efforts. I tried the cookie consent related extensions but AFAIK, any of them fulfills the requirements of the recent EU ruling anymore. An "OK" button is not sufficient. Not telling about the cookie lifetime is not sufficient. Writing a cookie before getting a clear confirmation by the user is not sufficient. I hope we can agree on that.

Of course, nobody can be blame for that as it is a brand new court decision and I am convinced that it will be looked into it.

I will file a suggestion regarding the actual issue how PHPBB uses cookies. Thank you for your time.

Post Reply

Return to “phpBB Discussion”