[horde] Britain’s “cookie law” prohibits tracking without consent

Michael M Slusarz slusarz at horde.org
Wed May 30 20:25:36 UTC 2012 

Quoting Simon Brereton <simon.buongiorno at gmail.com>:

> On 30 May 2012 12:31, Andrew Morgan <morgan at orst.edu> wrote:
>> On Wed, 30 May 2012, Simon Brereton wrote:
>>
>>> Since I may to pay attention to this, can you tell me what impact not
>>> accepting cookies will have on Horde/Imp/etc?
>>>
>>>
>>>
>>> http://arstechnica.com/tech-policy/2012/05/from-now-on-britains-cookie-law-prohibits-tracking-without-consent/
>>>
>>>
>>>
>>> Also, is there any easy way to put up a MOTD for this?
>>
>>
>> I use imp/config/motd.php in my old IMP4 installation.  I don't know if the
>> same file exists in IMP5.  BTW, I'm using IMP for authentication, so this
>> displays on the login page.
>
> /usr/share/horde4/config/motd.php says to use motd.local.php, but I
> can't find anything in the config tool to set this up.  I'm not sure
> my PHP skills are any good either...
>
> mail:~# grep -inr motd /usr/share/horde4/config/conf.php returns
> nothing (and like you, I remember this being in the setup for H3/Imp4)
>
>
>
>> I suggest you display a message saying they must accept cookies if they want
>> to use the service.  That covers the consent part.
>
> That's true - and applies as per the particulars of this law.  I was
> just wondering what effect not accepting cookies would have.  There is
> this warning in the config tool:
>
> Should we only allow session information to be stored in a session
> cookie and not be passed by URL (GET) parameters? This is on by
> default because passing session information in the URL is a security
> risk. Consider carefully before turning it off. Cookies must be
> working and enabled in the browser though, or you won't be able to
> login to Horde. If false, session information will be passed via both
> the URL and cookies.
>
> Which seems pretty emphatic about the need to accept cookies.  It
> would be nice if Horde could be made to function without them though.

There is absolutely no difference between "cookies" and URL parameters  
when it comes to "tracking".  They both serve the exact same purpose.   
So you are "tracking" a user via a URL parameter identically to a user  
when using a cookie.  Cookies, as used by the Horde project, are  
nothing more than a shorthand to having to add extra URL parameters to  
every request.

And the warning stated in the config file stands.  Passing session  
information in URLs is A Bad Idea.  None of the developers uses  
non-cookie based sessions, so while it theoretically should work,  
there are no guarantees.  Especially in H4 and URLs generated via  
javascript.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]

More information about the horde mailing list