I am working on a new PHP application that will allow users to register for an account in order to use my service. I want the website to comply with the new legislation that has come to the UK to provide visitors to the site, to enable or disable the use of cookies on their first visit.
I'm not entirely sure though what the best way to implement this. If I can't store a cookie how would I keep track whether the user is visiting the site for the first time in order to display the message, or if it is not the first visit, then not display the cookie message.
Thanks for any help you can provide.
The law is mainly concerned with 3rd party cookies. Yours is a first party cookie and these are generally assumed to be ok. You should be fine with a notice on your site specifying that you are using cookies and if people don't like that, they should get off your site (Possibly worded more politely)
From ico's own recommendations:
First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised.
Also note that it's not really a law - it's an EU directive and it's not really enforced.
One should distinguish between session-cookies and other cookies:
Session-cookies will be removed as soon as the user closes the browser, they are important to get a secure session handling and will increase the privacy of the user. It would be absurd to forbid those cookies.
Persistent cookies, especially those of 3rd parties, can live a long time in the user's browser. They are often misused to collect information about the user, so the user should be asked whether he allows such cookies. Unfortunately only honest websites will ever care about this law/recommendation.
EDIT:
I found a description of exceptions in the ICO cookies guidance which seem to legitimate pure session-cookies:
There is an exception to the requirement to provide information about
cookies and obtain consent where the use of the cookie is:
(a) for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the
provision of an information society service requested by the
subscriber or user.
...This exception is likely to apply, for example, to a cookie used to
ensure that when a user of a site has chosen the goods they wish to
buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button,
the site ‘remembers’ what they chose on a previous page. This cookie
is strictly necessary to provide the service the user requests (taking
the purchase they want to make to the checkout) and so the exception
would apply and no consent would be required.
EDIT2:
Should you ask the user to store non-session-cookies and he doesn't allow to store them, then keep this information in your session, but ask him again when he returns with another session. It is his choice then to get this message whenever the browser was closed.
Related
I'm building an ecommerce website, and have had a problem with two different payment gateways. Visitors enter their card details and then leave to the 3D Secure step, which requires visiting their bank's website. When they return from that, they have no cookies on our website, and we cannot recognize them to link up the order.
With one payment gateway, this results in the order failing; with the other, the payment comes through, but is not linked to any specific account or products purchased. Clearly, both of these are problems.
I know that plenty of browsers clear cookies on closing the browser, but I'm not aware of any that clear cookies just because you've left the site for a moment. (Furthermore, on one of the two payment gateways, the 3D Secure step is done in an iframe, so the user hasn't even left the site.) It's the user's session which is disappearing.
Concrete questions:
Is it common for session cookies to be this volatile? This is behaviour I've been unable to replicate myself. Is there some common browser setting or addon which aggressively (and prematurely) deletes session cookies?
Might there be something else causing the effects I'm seeing?
Might there be something else causing the effects I'm seeing?
In this kind of scenario, these days it often has to do with the SameSite attribute of the session cookie.
The Strict value will prevent cookies from being send in any requests initiated by third party websites. When users are getting redirected back to your site from the payment gateway, that is “navigation” from a 3rd-party site then, and the cookies get not send; so your own session can not be picked up at that point.
I have a problem in my project. When admin is logged in, no front end user can login in the same browser, why this happens? But when I destroy the cookies and then tries to login as user it correctly logs in.
How can I solve this?
Any major browser will only store one session cookie for a site, but the site developer gets to choose what's in that cookie. It seems like your site is storing user information in the session cookie, which is then getting overwritten when the other tab stores different information in the same cookie.
You don't provide much detail about how your specific site operates, but here are a few general ways of approaching this problem.
1) Use different browsers for different users. Different browsers don't share cookies between them. If your goal is simply to test your site with multiple users, this is the way. You can also use Incognito/Private mode to log in a separate user, as this mode doesn't share cookies either.
2) Don't use session cookies to store user information. This is a non-starter on most websites, but if this is an internal site or strictly controlled environment, you may be able to pass user identification via the URL, POST data, or some other hidden identifier in the request.
3) Store data in the session cookie for all currently logged in users. Depending on the web framework, it may be possible to create a map of user -> cookieData and look up the correct one based on which user is making the request. This is an advanced technique, and I don't actually know if Laravel exposes this level of control.
Harshad is covering all the aspects very well, but I can tell about a little trick a I have used when I wanted to test using different user rights (same browser). In my case, it was Windows Authentication, but it does not matter:
1) define a flag at user level (e.g. SuperUser). It can be 0 (false) or 1 (true).
2) allow "impersonation" - if an administrator has SuperUser flag set, he/she can change its roles/rights and see the site as if he/she is a normal user with that particular rights, but user management section is still accessible, to allow changing rights back.
3) Little changes are required in the user management section to allow SuperUser security implementation (i.e. section is showing if user does not have admin role, but it is marked as SuperUser)
So, you are testing as a single user, no multiple session cookies or other tricks are required. You can have one tab opened with your user profile and other(s) to do the actual testing.
Note: regarding the multiple browser suggestion, it is a quick solution for developers, but in corporate environment, this can be a real problem, as users (e.g. key users that have to test security) do not have access to more than one browser.
I'm currently working on a new website for a client that stores personal information and credit card info on the site. As such, security is a big concern for me. This is the first site I've built that has sensitive information on it, and so I'm not very familiar with the whole subject.
The site manages users using sessions. However, I'm finding it hard to keep the sessions secure. I want to implement a User Agent check that checks the browser every time a page is loaded. This way, when I copy the session ID into a manually-created cookie on my 'attacker' browser, the server will detect the user agent change (from Chrome to Firefox) and reject the session.
My question is, if I do implement this check to run EVERY time a page is loaded, do I run the risk of logging out my legitimate user? Is there any reason that the true user would change their user agent between pages? And if so, how likely is this to happen? Likely enough that I should abandon this approach entirely, or is it an acceptable risk?
EDIT: The cookies are set to expire as soon as the browser is closed. Also, the user agent that is set upon login is stored in the session and is hashed after a salt is appended to it.
Yes, the user-agent string can change. Session cookies often last longer than an individual browser session. If a user upgrades their browser (very common these days with the auto-updaters in Chrome and Firefox) then a different version will appear in the user-agent string.
In addition, some plugins are reported in the user-agent string, causing it to change if a user installs one.
Your user-agent string check doesn't really offer any additional security. I don't recommend it.
Because of the new EU cookie law, i need to implement a cookie solution on my site. I wan't to make a simple pop-up, wich tells the user we use cookies, and a button they can click "agree" on. My problem is just, that my site is setting cookies all over the site, so i need to make to popup box, somehow, before placing the cookies. Is there any way you can make a pop-up, and then first when it's closed, it will execute the rest of the PHP code?
Thank you!
In all my projects I allow cookies by default on the first page, I display the pop-up and if the user reject I delete cookies and do not use any cookie anymore.
It depends on your website, but I think you don't need to block a part of your website until the user accept cookies and use a "standard" way.
Also what you want to achieve is not very good for SEO.
If you redirect your user to another page crawlers won't be able to check your website, and if all pages redirect to the same page you will have a very bad ranking.
Update:
It is not required to block all cookies as mentionned in the EU cookie law (e-Privacy Directive) since June 2012:
European data protection authorities opinion In June 2012, European
data protection authorities (as part of the Article 29 Working Party)
adopted an opinion which clarifies that some cookie uses might be
exempt from the requirement to gain consent:
Some cookies can be exempted from informed consent under certain
conditions if they are not used for additional purposes. These cookies
include cookies used to keep track of a user’s input when filling
online forms or as a shopping cart, also known as session-id cookies,
multimedia player session cookies and user interface customisation
cookies, eg language preference cookies to remember the language
selected by the user. First party analytics cookies are not likely to
create a privacy risk if websites provide clear information about the
cookies to users and privacy safeguards, eg a user friendly mechanism
to opt out from any data collection and where they ensure that
identifiable information is anonymised.
Pretty basic question here. In PHP, if the user's browser has cookies disabled, you cannot make use of both server cookies ($_SESSION) AND client cookies ($_COOKIE, setcookie) or only the latter are disabled?
Basically you can't make the user log in or do anything that requires a session, right?
Also, in which case would someone want to have cookies disabled?
Thanks!
Yes, it's true. Both sessions and normal cookies are normal cookies. If a user does not accept cookies, he cannot use any of the functionality enabled by them. Which means pretty much the whole internet would break for that user, which is why in this day and age there's virtually nobody who has cookies disabled entirely.
PHP has a built-in mechanism called transparent session ids, which automagically rewrites all links to contain the session id in a query parameter. I would not suggest using it, since session ids in the URL open up a whole new can of worms.
For user friendliness, I'd recommend you test whether the user has cookies enabled or not (set a cookie, redirect to the next page with a flag in the URL that cookies should be set, see if you get any cookies back) and if not, kindly advise the user to enable them.
You can track the user by $_GET.
Imagine that on every-single-page the user visits you pass a ?user_id=XYZ123 then you would have implemented a very similar server-identification. It has obvious disadvantages:
if you copy/paste a URL you'll give away your session_id
because of 1 session high-jack is even less tech savy
Why do users disable cookies?
Users tend to throw first and third party cookies all in the mix but they come from different breeds.
First party cookies are generally ok. When you visit Facebook it's expected that Facebook keeps a cookie to store your interactions with the server.
What it's not expected is that the advertising company that has adds both on Facebook and on eBay gets your cookie back and checks, ah, so this guy was on eBay looking for xyz so now that he's on Facebook I'm gonna show him up abc to make him buy etc etc...
I think you should read the session reference manual http://www.php.net/manual/en/session.idpassing.php
In short, if your server can't find session_id, he can not restore session. But you can use alternate ways to store session values. Or you can generate session_od base on user's client environment parameters.