[horde] Britain’s “cookie law” prohibits tracking without consent
Rick Romero
rick at havokmon.com
Wed May 30 20:33:06 UTC 2012
Quoting Michael M Slusarz <slusarz at horde.org>:
> Quoting Simon Brereton <simon.buongiorno at gmail.com>:
>
>> On 30 May 2012 12:31, Andrew Morgan <morgan at orst.edu> wrote:
>>> On Wed, 30 May 2012, Simon Brereton wrote:
>>>
>>>> Since I may to pay attention to this, can you tell me what impact not
>>>> accepting cookies will have on Horde/Imp/etc?
>>>>
>>>>
>>>>
>>>> http://arstechnica.com/tech-policy/2012/05/from-now-on-britains-cookie-law-prohibits-tracking-without-consent/
>>>>
>>>>
>>>>
>>>> Also, is there any easy way to put up a MOTD for this?
>>>
>>>
>>> I use imp/config/motd.php in my old IMP4 installation. I don't know if the
>>> same file exists in IMP5. BTW, I'm using IMP for authentication, so this
>>> displays on the login page.
>>
>> /usr/share/horde4/config/motd.php says to use motd.local.php, but I
>> can't find anything in the config tool to set this up. I'm not sure
>> my PHP skills are any good either...
>>
>> mail:~# grep -inr motd /usr/share/horde4/config/conf.php returns
>> nothing (and like you, I remember this being in the setup for H3/Imp4)
>>
>>
>>
>>> I suggest you display a message saying they must accept cookies if
>>> they want
>>> to use the service. That covers the consent part.
>>
>> That's true - and applies as per the particulars of this law. I was
>> just wondering what effect not accepting cookies would have. There is
>> this warning in the config tool:
>>
>> Should we only allow session information to be stored in a session
>> cookie and not be passed by URL (GET) parameters? This is on by
>> default because passing session information in the URL is a security
>> risk. Consider carefully before turning it off. Cookies must be
>> working and enabled in the browser though, or you won't be able to
>> login to Horde. If false, session information will be passed via both
>> the URL and cookies.
>>
>> Which seems pretty emphatic about the need to accept cookies. It
>> would be nice if Horde could be made to function without them though.
>
> There is absolutely no difference between "cookies" and URL
> parameters when it comes to "tracking". They both serve the exact
> same purpose. So you are "tracking" a user via a URL parameter
> identically to a user when using a cookie. Cookies, as used by the
> Horde project, are nothing more than a shorthand to having to add
> extra URL parameters to every request.
>
> And the warning stated in the config file stands. Passing session
> information in URLs is A Bad Idea. None of the developers uses
> non-cookie based sessions, so while it theoretically should work,
> there are no guarantees. Especially in H4 and URLs generated via
> javascript.
Horde isn't tracking, it's maintaining session persistence - see
paragraph 1 of this link:
http://www.tomshardware.com/news/UK-Cookie-Law-Cookies-Storing-Law-Permission-Subscribe,15791.html
Rick
More information about the horde
mailing list