Hello All,
The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on their computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not. The EU Cookie Legislation began as a directive from the European Union. Some variation on the policy has since been adopted by all countries within the EU. The EU Cookie Legislation requires 4 actions from website owners who use cookies: 1. When someone visits your website, you need to let them know that your site uses cookies. 2. You need to provide detailed information regarding how that cookie data will be utilized. 3. You need to provide visitors with some means of accepting or refusing the use of cookies in your site. 4. If they refuse, you need to ensure that cookies will not be placed on their machine. For more information about EU cookie policy, please visit here <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>. As this crucial feature is missing in OFBiz E-Commerce application, we should work towards its implementation. There are numerous open-source jQuery plugins available which we can use. Thoughts? Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd. |
Hello all,
just before you go in head over heels, please consider the following: "However, some cookies are exempt from this requirement. Consent is not required if the cookie is: * used for the sole purpose of carrying out the transmission of a communication, and * strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service. Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29pdf <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf> include: * *user‑input* cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases * *authentication* cookies, to identify the user once he has logged in, for the duration of a session * *user‑centric security* cookies, used to detect authentication abuses, for a limited persistent duration * *multimedia content player* cookies, used to store technical data to play back video or audio content, for the duration of a session * *load‑balancing* cookies, for the duration of session * *user‑interface customisation* cookies such as language or font preferences, for the duration of a session (or slightly longer) * *third‑party social plug‑in content‑sharing* cookies, for logged‑in members of a social network." (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm) Does OFBiz even set other cookies? If yes, for what are they needed? Kind regards, Benjamin Jugl On 31.10.18 13:11, Deepak Nigam wrote: > Hello All, > > The Cookie Law is a piece of privacy legislation that requires websites to > get consent from visitors to store or retrieve any information on their > computer, smartphone or tablet. It was designed to protect online privacy, > by making consumers aware of how information about them is collected and > used online, and give them a choice to allow it or not. > > The EU Cookie Legislation began as a directive from the European Union. > Some variation on the policy has since been adopted by all countries within > the EU. > > The EU Cookie Legislation requires 4 actions from website owners who use > cookies: > 1. When someone visits your website, you need to let them know that your > site uses cookies. > 2. You need to provide detailed information regarding how that cookie data > will be utilized. > 3. You need to provide visitors with some means of accepting or refusing > the use of cookies in your site. > 4. If they refuse, you need to ensure that cookies will not be placed on > their machine. > > For more information about EU cookie policy, please visit here > <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>. > > As this crucial feature is missing in OFBiz E-Commerce application, we > should work towards its implementation. There are numerous open-source > jQuery plugins available which we can use. Thoughts? > > > Thanks & Regards > -- > Deepak Nigam > HotWax Systems Pvt. Ltd. > |
Administrator
|
Thanks Deepak, Benjamin,
We are indeed only concerned by the ecommerce webapps (both ecommerce and ecomse). They are the sole to be public. The backend applications should not be concerned. Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID, possibly cookie.domain and maybe jstree* ones. I believe they all fall in the exempt cases. With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon. I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They inherently does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue as is, because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year. [1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies Jacques Le 31/10/2018 à 14:05, Benjamin Jugl a écrit : > Hello all, > > just before you go in head over heels, please consider the following: > > "However, some cookies are exempt from this requirement. Consent is > not required if the cookie is: > > * used for the sole purpose of carrying out the transmission of a > communication, and > * strictly necessary in order for the provider of an information > society service explicitly required by the user to provide that > service. > > Cookies clearly exempt from consent according to the EU advisory > body on data protection- WP29pdf > <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf> include: > > * *user‑input* cookies (session-id) such as first‑party cookies to > keep track of the user's input when filling online forms, > shopping carts, etc., for the duration of a session or > persistent cookies limited to a few hours in some cases > * *authentication* cookies, to identify the user once he has > logged in, for the duration of a session > * *user‑centric security* cookies, used to detect authentication > abuses, for a limited persistent duration > * *multimedia content player* cookies, used to store technical > data to play back video or audio content, for the duration of a > session > * *load‑balancing* cookies, for the duration of session > * *user‑interface customisation* cookies such as language or font > preferences, for the duration of a session (or slightly longer) > * *third‑party social plug‑in content‑sharing* cookies, for > logged‑in members of a social network." > > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm) > > Does OFBiz even set other cookies? If yes, for what are they needed? > > Kind regards, Benjamin Jugl > > > > On 31.10.18 13:11, Deepak Nigam wrote: >> Hello All, >> >> The Cookie Law is a piece of privacy legislation that requires websites to >> get consent from visitors to store or retrieve any information on their >> computer, smartphone or tablet. It was designed to protect online privacy, >> by making consumers aware of how information about them is collected and >> used online, and give them a choice to allow it or not. >> >> The EU Cookie Legislation began as a directive from the European Union. >> Some variation on the policy has since been adopted by all countries within >> the EU. >> >> The EU Cookie Legislation requires 4 actions from website owners who use >> cookies: >> 1. When someone visits your website, you need to let them know that your >> site uses cookies. >> 2. You need to provide detailed information regarding how that cookie data >> will be utilized. >> 3. You need to provide visitors with some means of accepting or refusing >> the use of cookies in your site. >> 4. If they refuse, you need to ensure that cookies will not be placed on >> their machine. >> >> For more information about EU cookie policy, please visit here >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>. >> >> As this crucial feature is missing in OFBiz E-Commerce application, we >> should work towards its implementation. There are numerous open-source >> jQuery plugins available which we can use. Thoughts? >> >> >> Thanks & Regards >> -- >> Deepak Nigam >> HotWax Systems Pvt. Ltd. >> > > |
Thanks, Benjamin, Jacques.
Definitely, we will move forward only after studying OFBiz cookies in depth. I just put initial thought came to my mind. On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux < [hidden email]> wrote: > Thanks Deepak, Benjamin, > > We are indeed only concerned by the ecommerce webapps (both ecommerce and > ecomse). They are the sole to be public. The backend applications should > not > be concerned. > > Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID, > possibly cookie.domain and maybe jstree* ones. I believe they all fall in > the > exempt cases. > > With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While > doing so I spotted that securedLoginId has the same duration (1 year) than > autoUserLoginId. I have reduced it to the browser session so it also falls > in the exempt cases. I'll commit that very soon. > > I have not read all the details but I believe the only ones we should > think about are the autoUserLoginId and OFBiz.Visitor cookies. They > inherently > does not contain party data, but from the visitorId or userLoginId fields > it's possible to get to the party data. Not sure it's an issue as is, > because AFAIK we use only first‑party cookies[1] but the problem seems > their durations: one year. > > [1] > https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies > > Jacques > > Le 31/10/2018 à 14:05, Benjamin Jugl a écrit : > > Hello all, > > > > just before you go in head over heels, please consider the following: > > > > "However, some cookies are exempt from this requirement. Consent is > > not required if the cookie is: > > > > * used for the sole purpose of carrying out the transmission of a > > communication, and > > * strictly necessary in order for the provider of an information > > society service explicitly required by the user to provide that > > service. > > > > Cookies clearly exempt from consent according to the EU advisory > > body on data protection- WP29pdf > > < > http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf > > include: > > > > * *user‑input* cookies (session-id) such as first‑party cookies to > > keep track of the user's input when filling online forms, > > shopping carts, etc., for the duration of a session or > > persistent cookies limited to a few hours in some cases > > * *authentication* cookies, to identify the user once he has > > logged in, for the duration of a session > > * *user‑centric security* cookies, used to detect authentication > > abuses, for a limited persistent duration > > * *multimedia content player* cookies, used to store technical > > data to play back video or audio content, for the duration of a > > session > > * *load‑balancing* cookies, for the duration of session > > * *user‑interface customisation* cookies such as language or font > > preferences, for the duration of a session (or slightly longer) > > * *third‑party social plug‑in content‑sharing* cookies, for > > logged‑in members of a social network." > > > > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm) > > > > Does OFBiz even set other cookies? If yes, for what are they needed? > > > > Kind regards, Benjamin Jugl > > > > > > > > On 31.10.18 13:11, Deepak Nigam wrote: > >> Hello All, > >> > >> The Cookie Law is a piece of privacy legislation that requires websites > to > >> get consent from visitors to store or retrieve any information on their > >> computer, smartphone or tablet. It was designed to protect online > privacy, > >> by making consumers aware of how information about them is collected and > >> used online, and give them a choice to allow it or not. > >> > >> The EU Cookie Legislation began as a directive from the European Union. > >> Some variation on the policy has since been adopted by all countries > within > >> the EU. > >> > >> The EU Cookie Legislation requires 4 actions from website owners who use > >> cookies: > >> 1. When someone visits your website, you need to let them know that your > >> site uses cookies. > >> 2. You need to provide detailed information regarding how that cookie > data > >> will be utilized. > >> 3. You need to provide visitors with some means of accepting or refusing > >> the use of cookies in your site. > >> 4. If they refuse, you need to ensure that cookies will not be placed on > >> their machine. > >> > >> For more information about EU cookie policy, please visit here > >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>. > >> > >> As this crucial feature is missing in OFBiz E-Commerce application, we > >> should work towards its implementation. There are numerous open-source > >> jQuery plugins available which we can use. Thoughts? > >> > >> > >> Thanks & Regards > >> -- > >> Deepak Nigam > >> HotWax Systems Pvt. Ltd. > >> > > > > > > |
FYI, here is the Jira ticket
<https://issues.apache.org/jira/browse/OFBIZ-10639> for further discussion and research. On Thu, Nov 1, 2018 at 3:02 PM Deepak Nigam <[hidden email]> wrote: > Thanks, Benjamin, Jacques. > > Definitely, we will move forward only after studying OFBiz cookies in > depth. I just put initial thought came to my mind. > > > > On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux < > [hidden email]> wrote: > >> Thanks Deepak, Benjamin, >> >> We are indeed only concerned by the ecommerce webapps (both ecommerce and >> ecomse). They are the sole to be public. The backend applications should >> not >> be concerned. >> >> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID, >> possibly cookie.domain and maybe jstree* ones. I believe they all fall in >> the >> exempt cases. >> >> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While >> doing so I spotted that securedLoginId has the same duration (1 year) than >> autoUserLoginId. I have reduced it to the browser session so it also >> falls in the exempt cases. I'll commit that very soon. >> >> I have not read all the details but I believe the only ones we should >> think about are the autoUserLoginId and OFBiz.Visitor cookies. They >> inherently >> does not contain party data, but from the visitorId or userLoginId fields >> it's possible to get to the party data. Not sure it's an issue as is, >> because AFAIK we use only first‑party cookies[1] but the problem seems >> their durations: one year. >> >> [1] >> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies >> >> Jacques >> >> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit : >> > Hello all, >> > >> > just before you go in head over heels, please consider the following: >> > >> > "However, some cookies are exempt from this requirement. Consent is >> > not required if the cookie is: >> > >> > * used for the sole purpose of carrying out the transmission of a >> > communication, and >> > * strictly necessary in order for the provider of an information >> > society service explicitly required by the user to provide that >> > service. >> > >> > Cookies clearly exempt from consent according to the EU advisory >> > body on data protection- WP29pdf >> > < >> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf >> > include: >> > >> > * *user‑input* cookies (session-id) such as first‑party cookies to >> > keep track of the user's input when filling online forms, >> > shopping carts, etc., for the duration of a session or >> > persistent cookies limited to a few hours in some cases >> > * *authentication* cookies, to identify the user once he has >> > logged in, for the duration of a session >> > * *user‑centric security* cookies, used to detect authentication >> > abuses, for a limited persistent duration >> > * *multimedia content player* cookies, used to store technical >> > data to play back video or audio content, for the duration of a >> > session >> > * *load‑balancing* cookies, for the duration of session >> > * *user‑interface customisation* cookies such as language or font >> > preferences, for the duration of a session (or slightly longer) >> > * *third‑party social plug‑in content‑sharing* cookies, for >> > logged‑in members of a social network." >> > >> > (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm) >> > >> > Does OFBiz even set other cookies? If yes, for what are they needed? >> > >> > Kind regards, Benjamin Jugl >> > >> > >> > >> > On 31.10.18 13:11, Deepak Nigam wrote: >> >> Hello All, >> >> >> >> The Cookie Law is a piece of privacy legislation that requires >> websites to >> >> get consent from visitors to store or retrieve any information on their >> >> computer, smartphone or tablet. It was designed to protect online >> privacy, >> >> by making consumers aware of how information about them is collected >> and >> >> used online, and give them a choice to allow it or not. >> >> >> >> The EU Cookie Legislation began as a directive from the European Union. >> >> Some variation on the policy has since been adopted by all countries >> within >> >> the EU. >> >> >> >> The EU Cookie Legislation requires 4 actions from website owners who >> use >> >> cookies: >> >> 1. When someone visits your website, you need to let them know that >> your >> >> site uses cookies. >> >> 2. You need to provide detailed information regarding how that cookie >> data >> >> will be utilized. >> >> 3. You need to provide visitors with some means of accepting or >> refusing >> >> the use of cookies in your site. >> >> 4. If they refuse, you need to ensure that cookies will not be placed >> on >> >> their machine. >> >> >> >> For more information about EU cookie policy, please visit here >> >> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>. >> >> >> >> As this crucial feature is missing in OFBiz E-Commerce application, we >> >> should work towards its implementation. There are numerous open-source >> >> jQuery plugins available which we can use. Thoughts? >> >> >> >> >> >> Thanks & Regards >> >> -- >> >> Deepak Nigam >> >> HotWax Systems Pvt. Ltd. >> >> >> > >> > >> >> |
Administrator
|
In reply to this post by Jacques Le Roux
Le 31/10/2018 à 16:32, Jacques Le Roux a écrit :
> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than > autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon. > > I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They inherently > does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue as is, > because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year. > > [1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies I re-read above and the Benjamin's copy from " WP29pdf ". It seems to me that autoUserLoginId and OFBiz.Visitor cookies don't fit in any of these categories, and we don't inform the visitor about these cookies. Deepak's proposition in OFBIZ-10639 does not allow to not consent. But I guess in this case it's the user's responsibility to quit the site before login in and so we are covered. Please chime in if you disagree Jacques |
Administrator
|
In reply to this post by deepak nigam-2
Hi,
Deepak has provided a working patch where he removed the 'Customized Cookies' feature of https://github.com/ketanmistry/ihavecookies To compare apply the patch (directly on ecommerce component for now) load ecommerce in OFBiz and compare with https://iamketan.com.au/ I'm unsure it would be helpful but should not our users be able by default to have all the features? Thanks Jacques Le 05/11/2018 à 05:43, Deepak Nigam a écrit : > FYI, here is the Jira ticket > <https://issues.apache.org/jira/browse/OFBIZ-10639> for further discussion > and research. > > On Thu, Nov 1, 2018 at 3:02 PM Deepak Nigam <[hidden email]> > wrote: > >> Thanks, Benjamin, Jacques. >> >> Definitely, we will move forward only after studying OFBiz cookies in >> depth. I just put initial thought came to my mind. >> >> >> >> On Wed, Oct 31, 2018 at 9:03 PM Jacques Le Roux < >> [hidden email]> wrote: >> >>> Thanks Deepak, Benjamin, >>> >>> We are indeed only concerned by the ecommerce webapps (both ecommerce and >>> ecomse). They are the sole to be public. The backend applications should >>> not >>> be concerned. >>> >>> Actually, in ecommerce webapps, we use technical cookies: JSSESSIONID, >>> possibly cookie.domain and maybe jstree* ones. I believe they all fall in >>> the >>> exempt cases. >>> >>> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While >>> doing so I spotted that securedLoginId has the same duration (1 year) than >>> autoUserLoginId. I have reduced it to the browser session so it also >>> falls in the exempt cases. I'll commit that very soon. >>> >>> I have not read all the details but I believe the only ones we should >>> think about are the autoUserLoginId and OFBiz.Visitor cookies. They >>> inherently >>> does not contain party data, but from the visitorId or userLoginId fields >>> it's possible to get to the party data. Not sure it's an issue as is, >>> because AFAIK we use only first‑party cookies[1] but the problem seems >>> their durations: one year. >>> >>> [1] >>> https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies >>> >>> Jacques >>> >>> Le 31/10/2018 à 14:05, Benjamin Jugl a écrit : >>>> Hello all, >>>> >>>> just before you go in head over heels, please consider the following: >>>> >>>> "However, some cookies are exempt from this requirement. Consent is >>>> not required if the cookie is: >>>> >>>> * used for the sole purpose of carrying out the transmission of a >>>> communication, and >>>> * strictly necessary in order for the provider of an information >>>> society service explicitly required by the user to provide that >>>> service. >>>> >>>> Cookies clearly exempt from consent according to the EU advisory >>>> body on data protection- WP29pdf >>>> < >>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf >>>> include: >>>> >>>> * *user‑input* cookies (session-id) such as first‑party cookies to >>>> keep track of the user's input when filling online forms, >>>> shopping carts, etc., for the duration of a session or >>>> persistent cookies limited to a few hours in some cases >>>> * *authentication* cookies, to identify the user once he has >>>> logged in, for the duration of a session >>>> * *user‑centric security* cookies, used to detect authentication >>>> abuses, for a limited persistent duration >>>> * *multimedia content player* cookies, used to store technical >>>> data to play back video or audio content, for the duration of a >>>> session >>>> * *load‑balancing* cookies, for the duration of session >>>> * *user‑interface customisation* cookies such as language or font >>>> preferences, for the duration of a session (or slightly longer) >>>> * *third‑party social plug‑in content‑sharing* cookies, for >>>> logged‑in members of a social network." >>>> >>>> (http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm) >>>> >>>> Does OFBiz even set other cookies? If yes, for what are they needed? >>>> >>>> Kind regards, Benjamin Jugl >>>> >>>> >>>> >>>> On 31.10.18 13:11, Deepak Nigam wrote: >>>>> Hello All, >>>>> >>>>> The Cookie Law is a piece of privacy legislation that requires >>> websites to >>>>> get consent from visitors to store or retrieve any information on their >>>>> computer, smartphone or tablet. It was designed to protect online >>> privacy, >>>>> by making consumers aware of how information about them is collected >>> and >>>>> used online, and give them a choice to allow it or not. >>>>> >>>>> The EU Cookie Legislation began as a directive from the European Union. >>>>> Some variation on the policy has since been adopted by all countries >>> within >>>>> the EU. >>>>> >>>>> The EU Cookie Legislation requires 4 actions from website owners who >>> use >>>>> cookies: >>>>> 1. When someone visits your website, you need to let them know that >>> your >>>>> site uses cookies. >>>>> 2. You need to provide detailed information regarding how that cookie >>> data >>>>> will be utilized. >>>>> 3. You need to provide visitors with some means of accepting or >>> refusing >>>>> the use of cookies in your site. >>>>> 4. If they refuse, you need to ensure that cookies will not be placed >>> on >>>>> their machine. >>>>> >>>>> For more information about EU cookie policy, please visit here >>>>> <http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm>. >>>>> >>>>> As this crucial feature is missing in OFBiz E-Commerce application, we >>>>> should work towards its implementation. There are numerous open-source >>>>> jQuery plugins available which we can use. Thoughts? >>>>> >>>>> >>>>> Thanks & Regards >>>>> -- >>>>> Deepak Nigam >>>>> HotWax Systems Pvt. Ltd. >>>>> >>>> >>> |
Administrator
|
In reply to this post by Jacques Le Roux
Le 15/06/2019 à 11:54, Jacques Le Roux a écrit :
> Le 31/10/2018 à 16:32, Jacques Le Roux a écrit : >> With OFBIZ-10635 I'm currently working on autoUserLoginId cookies. While doing so I spotted that securedLoginId has the same duration (1 year) than >> autoUserLoginId. I have reduced it to the browser session so it also falls in the exempt cases. I'll commit that very soon. >> >> I have not read all the details but I believe the only ones we should think about are the autoUserLoginId and OFBiz.Visitor cookies. They >> inherently does not contain party data, but from the visitorId or userLoginId fields it's possible to get to the party data. Not sure it's an issue >> as is, because AFAIK we use only first‑party cookies[1] but the problem seems their durations: one year. >> >> [1] https://www.opentracker.net/article/third-party-cookies-vs-first-party-cookies > > I re-read above and the Benjamin's copy from " WP29pdf ". > > It seems to me that autoUserLoginId and OFBiz.Visitor cookies don't fit in any of these categories, and we don't inform the visitor about these > cookies. > Deepak's proposition in OFBIZ-10639 does not allow to not consent. But I guess in this case it's the user's responsibility to quit the site before > login in and so we are covered. > > Please chime in if you disagree > > Jacques > > Jacques |
Free forum by Nabble | Edit this page |