Why get unregistered forum visitors persistent cookies?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
User avatar
warmweer
Registered User
Posts: 3055
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Why get unregistered forum visitors persistent cookies?

Post by warmweer » Mon Oct 21, 2019 11:19 am

Knubbi wrote:
Mon Oct 21, 2019 10:48 am
Do you mix up persistent cookies to store a session vs a session cookie (that is deleted with closing the browser)?
AFAIK (but I may be wrong about this - not my field of expertise at all) cookies (including persistent) are deleted when closing the browser only if that is specifically selected in the browser. If that option is not selected, then cookie_lifetime comes into play (and I think, not sure).
The year is 2192. The British Prime Minister visits Brussels to ask for an extension of the Brexit deadline. No one remembers where this tradition originated, but every year it attracts many tourists from all over the world.

Knubbi
Registered User
Posts: 91
Joined: Mon Jul 07, 2003 11:55 am

Re: Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Mon Oct 21, 2019 12:01 pm

Persistent cookies are persistent. That it is why they are named as such.

Users can optionally configure their browser to flush any cookie on exit but very smart judges in the EU prefer to make every single website owner repsonsible for it. It is to their favor: If they would have taken the easy route and request from the few browser maker to delete cookies on exit by default, only 3-5 companies would be involved. How boring this would be for a smart EU judge as they can keep hundreds of thousands of webmasters busy with their ideas. On top, lawyers never get bored neither.

User avatar
warmweer
Registered User
Posts: 3055
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Why get unregistered forum visitors persistent cookies?

Post by warmweer » Mon Oct 21, 2019 12:06 pm

Knubbi wrote:
Mon Oct 21, 2019 12:01 pm
If they would have taken the easy route and request from the few browser maker to delete cookies on exit by default, only 3-5 companies would be involved.
That would be a stupid idea because it would force users to log in each time after closing their browser.
The year is 2192. The British Prime Minister visits Brussels to ask for an extension of the Brexit deadline. No one remembers where this tradition originated, but every year it attracts many tourists from all over the world.

User avatar
AmigoJack
Registered User
Posts: 5642
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by AmigoJack » Mon Oct 21, 2019 12:12 pm

warmweer wrote:
Mon Oct 21, 2019 11:19 am
... not my field of expertise ... only if ... not sure
I'm not sure how your reply should help in any way.

RFC 2109, 4.3.1 defines: "Max-Age: The default behavior is to discard the cookie when the user agent exits." Which means: only cookies not using the "Max-Age" parameter are session-only cookies (the user agent session: if you exit your web browser, the session is over and so the live of such cookies), while all others are (although never named as such) persistent (unbound to if they persist for 5 seconds or 5 years).

RFC 2109, 4.3.3 amends: "User agents should allow the user to control cookie destruction. ... One possible implementation would be an interface that allows the permanent storage of a cookie through a checkbox (or, conversely, its immediate destruction)." Which means: if the person using the web browser is unable to delete cookies on his own he should ask himself why he's using that web browser. Likewise a person might opt to let cookies live longer than they were meant to.

Hopefully now people understand the different types of cookies. Gladly Flash is extinct by now, otherwise there'd be even more mix-ups.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Knubbi
Registered User
Posts: 91
Joined: Mon Jul 07, 2003 11:55 am

Re: Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Mon Oct 21, 2019 12:18 pm

warmweer wrote:
Mon Oct 21, 2019 12:06 pm
That would be a stupid idea because it would force users to log in each time after closing their browser.
Yes, indeed, you nailed it. It is equally stupid as prompting every user on every webpage to agree to the obvious.

But it is pointless to debate that -It's the law.

User avatar
warmweer
Registered User
Posts: 3055
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Why get unregistered forum visitors persistent cookies?

Post by warmweer » Mon Oct 21, 2019 12:21 pm

AmigoJack wrote:
Mon Oct 21, 2019 12:12 pm
I'm not sure how your reply should help in any way.
It wasn't meant as help (not sure how you got that impression).
Just expressing my thoughts in a way which could result in some replies that could give me some more insight (read as: enlighten me).
Successfully, I may add.
The year is 2192. The British Prime Minister visits Brussels to ask for an extension of the Brexit deadline. No one remembers where this tradition originated, but every year it attracts many tourists from all over the world.

User avatar
AmigoJack
Registered User
Posts: 5642
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by AmigoJack » Mon Oct 21, 2019 12:22 pm

Knubbi wrote:
Mon Oct 21, 2019 12:18 pm
warmweer wrote:
Mon Oct 21, 2019 12:06 pm
it would force users to log in each time after closing their browser.
Yes, indeed
For a second I thought you really meant a setting, so when web browser users start to get annoyed by having all cookies deleted with each exit they would start looking at the settings and define exclusions or turn it off entirely. It's the old "opt in" versus "opt out" debate - but by default does not imply not having a setting to adjust it.

Knubbi wrote:
Mon Oct 21, 2019 12:18 pm
It's the law.
No, as stated before: technical/non-personal cookies are still allowed. Link to a source that proves your argument.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Knubbi
Registered User
Posts: 91
Joined: Mon Jul 07, 2003 11:55 am

Re: Why get unregistered forum visitors persistent cookies?

Post by Knubbi » Mon Oct 21, 2019 12:43 pm

As you asked for it, GDPR Article 5, 1.

(c):

"Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');"

and (e):

"Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (..)"

Given those requirement, there is no point to store a persistent cookie if the user does not log in and agrees to have the forum memorize the log in state.

User avatar
AmigoJack
Registered User
Posts: 5642
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by AmigoJack » Mon Oct 21, 2019 1:11 pm

I asked for a link, not mere text - linking ensures to verify given texts and exclude potential misunderstandings having emerged by omitting essential parts.

Article 4 ("Definitions"), number (1) defines:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
I have to disappoint you: phpBB's session ID (and by default PHP's session IDs, too) do not identify a person - they just identify a ...well... session. It nowhere carries i.e. your name or IP address.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
kinerity
Community Team Member
Community Team Member
Posts: 2387
Joined: Mon Sep 01, 2014 1:00 am
Location: sudo rm -rf /
Name: Kailey Truscott
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by kinerity » Tue Oct 22, 2019 11:54 am

I've split off the unnecessary posts since they added no value to the discussion. Please consider the rules of respectful posting and keep the discussion centered on the topic at hand. Thank you! :)
Kailey Truscott - Community Team

User avatar
Talk19Zehn
Registered User
Posts: 408
Joined: Tue Aug 09, 2011 1:10 pm
Contact:

Re: Why get unregistered forum visitors persistent cookies?

Post by Talk19Zehn » Wed Oct 23, 2019 3:28 pm

Hello Knubbi, currently necessary cookies in the phpBB forum
As far as I know:
  • phpbb3 _k is used to use the automatic login service.
  • phpbb3 _sid contains the session ID. This cookie, in association with phpbb3 _u, identifies the member to enable services based on user-related rights.
  • phpbb3 _u creates the user ID of the user.
  • phpbb3 _style creates the style ID for the user.
  • phpbb3 _track allows you to mark read / unread posts for guests.
In addition, data can be collected, for examples:
Google reCAPTCHA, Analytics | reCAPTCHA, Google fonts are based and so on and so on. Of course, these and other cookies must be mentioned so that the visitor or user can decide whether to give consent, so that he can act.
The operator has no influence on that, as we do not know in what way and above all how the configuration was determined by the user or guest in the browser behavior.

If someone banally (simply) click "Agree", he may have simply already lost (?) if the privacy policy has not been read (?). Because data collections on some websites are obviously popular ..., - a misuse of some operators, the software can not in principle "kill".

The privacy policy must contain all references to the cookie behavior and this does not require any question in order to move to a more legally secure way.
Unless great uncertainty prevails: My advice would be to ask a lawyer of trust to make your page (s) / subpage (s) more secure.

Regards
World Meteorological Organization (WMO) Weather - Climate - Water
phpBB Advent calendar: sought and found ..
BTW: My own works - phpBB - read more: ongray-design-de or look here: phpBB VT Theme
Style: Star Trek - StarTrekExcerpts - Fan-Board

Post Reply

Return to “phpBB Discussion”