[horde] Britain’s “cookie law” prohibits tracking without consent

Simon Brereton simon.buongiorno at gmail.com
Wed May 30 21:18:39 UTC 2012


On 30 May 2012 16:33, Rick Romero <rick at havokmon.com> wrote:
>
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> Quoting Simon Brereton <simon.buongiorno at gmail.com>:
>>
>>> On 30 May 2012 12:31, Andrew Morgan <morgan at orst.edu> wrote:
>>>>
>>>> On Wed, 30 May 2012, Simon Brereton wrote:
>>>>
>>>>> Since I may to pay attention to this, can you tell me what impact not
>>>>> accepting cookies will have on Horde/Imp/etc?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> http://arstechnica.com/tech-policy/2012/05/from-now-on-britains-cookie-law-prohibits-tracking-without-consent/
>>>>>
>>>>>
>>>>>
>>>>> Also, is there any easy way to put up a MOTD for this?
>>>>
>>>>
>>>>
>>>> I use imp/config/motd.php in my old IMP4 installation.  I don't know if
>>>> the
>>>> same file exists in IMP5.  BTW, I'm using IMP for authentication, so
>>>> this
>>>> displays on the login page.
>>>
>>>
>>> /usr/share/horde4/config/motd.php says to use motd.local.php, but I
>>> can't find anything in the config tool to set this up.  I'm not sure
>>> my PHP skills are any good either...
>>>
>>> mail:~# grep -inr motd /usr/share/horde4/config/conf.php returns
>>> nothing (and like you, I remember this being in the setup for H3/Imp4)
>>>
>>>
>>>
>>>> I suggest you display a message saying they must accept cookies if they
>>>> want
>>>> to use the service.  That covers the consent part.
>>>
>>>
>>> That's true - and applies as per the particulars of this law.  I was
>>> just wondering what effect not accepting cookies would have.  There is
>>> this warning in the config tool:
>>>
>>> Should we only allow session information to be stored in a session
>>> cookie and not be passed by URL (GET) parameters? This is on by
>>> default because passing session information in the URL is a security
>>> risk. Consider carefully before turning it off. Cookies must be
>>> working and enabled in the browser though, or you won't be able to
>>> login to Horde. If false, session information will be passed via both
>>> the URL and cookies.
>>>
>>> Which seems pretty emphatic about the need to accept cookies.  It
>>> would be nice if Horde could be made to function without them though.
>>
>>
>> There is absolutely no difference between "cookies" and URL parameters
>> when it comes to "tracking".  They both serve the exact same purpose.  So
>> you are "tracking" a user via a URL parameter identically to a user when
>> using a cookie.  Cookies, as used by the Horde project, are nothing more
>> than a shorthand to having to add extra URL parameters to every request.
>>
>> And the warning stated in the config file stands.  Passing session
>> information in URLs is A Bad Idea.  None of the developers uses non-cookie
>> based sessions, so while it theoretically should work, there are no
>> guarantees.  Especially in H4 and URLs generated via javascript.
>
>
>
> Horde isn't tracking, it's maintaining session persistence - see paragraph 1
> of this link:
> http://www.tomshardware.com/news/UK-Cookie-Law-Cookies-Storing-Law-Permission-Subscribe,15791.html


better to be safe than sorry, yes?  Thanks for the link though.

Simon


More information about the horde mailing list