10

Possible Duplicate:
How do I comply with the EU Cookie Directive?

Under this new EU law we are not allowed to use any cookies without asking first,

I for one need to use a cookie to register the user logged on, as if not with a cookie they can log on more than once and breach the license terms of the software.

so i find myself asking what can we use instead of cookies to perform this task?

Community
  • 1
Theresa Forster
  • 340
  • 2
  • 9
  • 7
    "...the EU’s directive stated that websites would have to obtain informed and explicit consent from their visitors through notifications every time a cookie is to be placed on their machine. _The only exception is for cookies strictly necessary for the legitimate purpose of enabling the use of an explicitly requested service_." - http://blog.incomeaccess.com/9134/2011/06/20/all-bark-no-bite-eus-new-cookie-directive/ I would think that the exception covers the need for session tracking cookies; as in strictly necessary to access the service(s) of your site. *INAL, and I don't live in the EU. – techie007 Jun 30 '11 at 11:53
  • 4
    that should be an answer – jk. Jun 30 '11 at 12:13
  • @techie so if the explict use of my site is to gather your information and tracking your surfing habits im ok right :P Im sure that is how it would be ruled in the US. – SoylentGray Jun 30 '11 at 13:20
  • @Chad - another part of the American Way would be if you are not explicit enough, the ruling may not be so favorable. Especially if your site makes any money $-) – JeffO Jun 30 '11 at 14:07
  • @Chad - If I explicitly requested that service from you, and your cookie was necessary for you to provide that requested service, then yes, I guess it would cover it. I don't really think it's an "answer" to an alternative to using cookies to track log on sessions, but hey, three people want it as an answer I'll put it in as one. ;) – techie007 Jun 30 '11 at 16:01
  • @Techie of course you did i mean im sure you read all of the terms of service before you checked I agree... – SoylentGray Jun 30 '11 at 17:02

4 Answers4

10

Not really an answer towards an alternative to using cookies for log on session tracking, but it seems to point to the idea that the question may be moot.

From here:

Essentially, the EU’s directive stated that websites would have to obtain informed and explicit consent from their visitors through notifications every time a cookie is to be placed on their machine. The only exception is for cookies strictly necessary for the legitimate purpose of enabling the use of an explicitly requested service.

I would think that the exception covers the need for session-tracking cookies; as in 'strictly necessary' to access the service(s) of your site.

Disclaimer: I'm Not A Lawyer, and I don't live in the EU. :)

techie007
  • 202
  • 2
  • 10
  • Well, this should allow for session cookies, if they are created only upon the user's successful authorization to the service whose terms they've already agreed to, but I guess it leaves anonymous session cookies in the grey zone. – Filip Dupanović Jun 30 '11 at 16:17
  • @Filip Dupanović - I would think that exception, unless defined better some place else, would leave a HUGE gray area. :) – techie007 Jun 30 '11 at 16:19
  • 2
    *My service includes serving contextually relevant ads. For that work a cookie is essential.* The directive's wording is a horrible mix of technical jargon, legal wording, and business speak. It is totally and utterly useless. – edA-qa mort-ora-y Jul 01 '11 at 08:04
  • There is also the problem that each individual country writes its own laws interpreting the EU directive. – idstam Jul 01 '11 at 11:24
3

You can add a session identifier to a hidden field in all pages or to the URL.

You could also ask all existing users for permission to use cookies and add a new cookie clause to your license.

It might be less expensive to drop non-compliant customers that to recode your site.

idstam
  • 131
  • 4
  • Thats a valid comment but I was looking for maybe some unique info that is sent by the browser / machine, that could be used server side to generate a unique id, basically becoming a serverside cookie... – Theresa Forster Jun 30 '11 at 11:57
  • 1
    @Theresa if there were such a thing web frameworks would not exclusively depend on session tracking cookies. – Jeremy Jun 30 '11 at 13:23
  • Just to add, US Federal Government Web sites have had this restriction since the Clinton administration. The use of session cookies provides the minimum functionality necessary without writing to the users HDD. – Michael Mangold Jun 30 '11 at 13:42
  • @Jeremy - ASP.NET can do cookieless sessions. http://msdn.microsoft.com/en-us/library/aa479314.aspx – rally25rs Jun 30 '11 at 18:25
  • @rally25rs Good point, but its just putting the session ID in the URL, not using any hidden identifier from the machine. – Jeremy Jun 30 '11 at 19:18
0

I guess you could resort to something like evercookie, but without the actual cookie and just use the other techniques.

My laymans interpretation says you can place cookies on someones machines if they explicitly request for you to render them a service and the cookie is required for the service to function. Like clicking the Login button on a web page. It is trying to exclude secret cookies that the users didn't ask for and don't know exist.

This would be a useless law in the US, as every advertiser would argue that clicking on the link to load the page would be explicitly requesting the ads on the page, and that the cookies they place on your machine were explicitly requested with the simple action of visiting a URL. EU might be different, it looks pretty technically un-enforceable to me.

0

If this really an issue for your site then host it somewhere outside of the EU. The last time I checked the EU cannot control the entire internet.

Craig T
  • 261
  • 3
  • 6