Make cookies opt-in?

Jey-Cee 0

Hi there,

due to a new judgement of the European Court of Justice the visitor has to opt-in for cookies.

So we are looking for a possibility to ask the visitors for their OK before the forum set it. And if they say No we have to respect this and do net set a cookie. Law says a No isn`t a reason to block the access to the site.

I know the 'We are using Cookies' section but could not find a setting for opt-in.
Has anyone hints to this topic?

Greets
Jey Cee

julian

Yes, there is unfortunately an issue with our cookie banner, in that it is only informational, and does not actually allow you to actively reject use of cookies.

For all intents and purposes, we are talking about the NodeBB session cookie. We do not save any other kind of cookie.

The moment you land on the site, actually, you get a session cookie, whether or not you accept the cookie banner is irrelevant. We really ought to change this so it actually grants a choice, but it is not a light undertaking, since we would have to rewrite parts of the software that handle session data (if consent is not given).

oplik0

And actually I'm not entirely sure, but I think cookies that are needed for the service to work (like session cookie that would cause some problems when disabled by an anonymous user and make logging in impossible) don't actually need to be opt-in.
Still - it would be nice to have a uniform cookie opt-in banner that could be expanded in plugins. Even if you couldn't opt-out of session cookie due to the way NodeBB works. Because plugins that add analytics, or even some social media buttons might need that kind of a banner.

julian

@oplik0 -- @baris actually did do the bulk of the work to get us to the point where we can have session-less/cookie-less browsing for anonymous users. Still, it's not dead simple, but is at least doable

Jey-Cee 0

@julian Thank you for your answer and the work. I think its the best way to make it cookie less possible.
One last question: Can you block also cookies from 3rd party plugins, like google analytics?

julian

No, we don't control those. If you don't install the GA plugin, there won't be a GA cookie (at least, not on that particular domain)

0xA4B16

So we need someone to also work on a delay system for Google and Alexa cookies, which checks for the NodeBB status if customer has accepted or denied them.

julian

@0xA4B16 @Jey-Cee-0 Ah, I see what you mean -- and in that case, while we can add in a system that checks for cookie consent (saved via local storage, or ironically, maybe in a cookie), it is ultimately up to the plugin author to actually be compliant.

We can and should enforce the session cookie (even if it is not required, as @oplik0 mentions), but plugin compliance is harder (if not impossible) to guarantee in the cookie banner.

scottalanmiller

@julian said in Make cookies opt-in?:

Yes, there is unfortunately an issue with our cookie banner, in that it is only informational, and does not actually allow you to actively reject use of cookies.

They can leave the page. Using the site after knowing it has cookies is definitely opting in.

julian

@scottalanmiller I agree, but I don't want to find out what would happen were it to be challenged in a court of law

scottalanmiller

@julian said in Make cookies opt-in?:

@scottalanmiller I agree, but I don't want to find out what would happen were it to be challenged in a court of law

True, but the court case in question is about a pre-checked cookie box (implicit acceptance) rather than an explicit acceptance. Different than what is being discussed here.

Daniel Furth

@julian Is the new cookie feature already released? As far as I can guess from what I see in user and admin frontend, it is still only informational?

julian

@Daniel-Furth Yes and no. The cookie consent banner is still purely informational, but we no longer store cookies for anonymous users except for one case:

If an anonymous user stumbles onto a restricted page (e.g. /unread), they will be redirected to the login page. This saves their previous page so they we can re-direct them back to that page when they complete a login.