More control over cookies #1398
Comments
If you mean the session cookie, that's already possible. |
e.g. for the language switcher, but if it is not a contao core feature and has to be installed via extensions, i think it depends on the extension developer to implement such an option right? Then cookie control would be nice for all contao core features witch uses cookies (If contao ever sets more than the seesion cooke in its core function). If not, control over the session cookie would be nice. (If it should be set in FE or not) |
|
Contao does not have a language switcher. If you mean |
|
I mean it more generally. If an extension needs cookies, the developer has to take care of the settings. Right? This is related to the question in the forum, But for contao-core. Are there more cookies in use than the session cookies? |
|
I support the idea that Contao focuses on "privacy by design", regardless the fact whether DSGVO and ePrivacy Policy will explicitly require this step or not. Core session cookies should only be set when really necessary and not in advance. Maybe the creation of session cookies can be limited to the processes and functions where they are indispensably required (e.g. login in the backend, multi page forms etc.). Optional control over these settings could be added to the maintenance section of the backend. This feature should not only be applied to future versions of Contao but also to older versions. Website owners and webdesigners might soon have to take action and adapt existing websites which are not running the latest version of Contao. |
It's a feature. Old versions do not get new features. I don't know why that's so hard to understand… |
|
I got your point as a core developer but I think if the worst case happens and a lot of website owners would be forced to modify or shut down their websites, providing applicable solutions should be more important than sticking to paradigms, especially concerning the LTS version. With a shifting perspective the status quo might turn out to be erroneous, so this wouldn't just be a feature but an essential part of core architecture. |
|
Related: #1389 |
|
As discussed in Mumble on March 15th, this is not something we have to implement.
We are in contact with the guys of Spirit Legal to make Contao GDPR compatible and we will take the necessary steps as soon as we reliably know what those are. |
|
I'm missing a lively discussion about GDPR related issues, not only about cookies but e.g. also about the comments function storing more data (of mandatory fields by default) that have never been necessary. Given that the GDPR was adopted in April 2016, it sounds rather planless to say "we will take the necessary steps as soon as we reliably know what those are." |
|
The last mumble call showed there is a lively debate and there are a lot of things being taken into account and care of. But also that it is really not that easy to make clear statements at this point. |
|
I don't have mumble, and in the up for discussion labeled core issues there isn't much to find concerning the GDPR. Is there any cheatsheet of all the data, Contao stores by default, that would help Contao users to write reliable privacy statements? |
|
There is no cheatsheet and noone will be able to give you a reliable privacy statement as this is application related. The only thing the Contao core can do (and will do) is to make sure the used technology in the core does not conflict with the GDPR and to achieve as much 'privacy as default' as possible/sensible. Many things just aren't clear, yet. See the quote of @leofeyer from above:
|
|
I read Leo's statement. It implies that no one took the matter serious during the past two years and that we cannot expect a GDPR compliant version before May 28th - if at all for Contao 3.5. My point is that Contao users have to start writing their privacy statements providing utmost transparency about all data current Contao versions are collecting. Thus I asked for a list of all GDPR-relevant personal data Contao collects, assuming that the developer team would know best. The regular Contao user isn't necessarily aware of the fact that IP addresses are stored with comments and possibly with other functions as well. |
|
Ip's are stored anonymized. For other data that's stored, I think it's best if you look at your database. You'll see what we store immediately (including all extensions). |
Those responsible for a web application need to audit their web application in any case and then take the necessary steps if applicable. This is not specific to a CMS for example. |
|
Seems to me that saving shortened IP addresses and user agents with any kind of form submission might not be compliant in the sense of GDPR's minimized data collection ... |
We discussed the possibility of giving admins more control over cookies (Session/Persistent Cookies) in BE, during user visits in FE. Especialy when a cookie isn't needed vor a website, e.g. when no language switch or forms over multible sites are used. In this case, there is no reason for session cookies in the FE.
It's also a nice idea, to have the posebility of setting expiry dates (e.g. language settings) of the cookies.
It's discussed in the forum under: https://community.contao.org/de/showthread.php?68627-Contao-Setzen-von-Cookies-verhindern-DSGVO-ePrivacy-2018&p=466131#post466131
Regards christoph
The text was updated successfully, but these errors were encountered: