Make cookies opt-in?

julian

@oplik0 -- @baris actually did do the bulk of the work to get us to the point where we can have session-less/cookie-less browsing for anonymous users. Still, it's not dead simple, but is at least doable

Jey-Cee 0

@julian Thank you for your answer and the work. I think its the best way to make it cookie less possible.
One last question: Can you block also cookies from 3rd party plugins, like google analytics?

julian

No, we don't control those. If you don't install the GA plugin, there won't be a GA cookie (at least, not on that particular domain)

0xA4B16

So we need someone to also work on a delay system for Google and Alexa cookies, which checks for the NodeBB status if customer has accepted or denied them.

julian

@0xA4B16 @Jey-Cee-0 Ah, I see what you mean -- and in that case, while we can add in a system that checks for cookie consent (saved via local storage, or ironically, maybe in a cookie), it is ultimately up to the plugin author to actually be compliant.

We can and should enforce the session cookie (even if it is not required, as @oplik0 mentions), but plugin compliance is harder (if not impossible) to guarantee in the cookie banner.

scottalanmiller

@julian said in Make cookies opt-in?:

Yes, there is unfortunately an issue with our cookie banner, in that it is only informational, and does not actually allow you to actively reject use of cookies.

They can leave the page. Using the site after knowing it has cookies is definitely opting in.

julian

@scottalanmiller I agree, but I don't want to find out what would happen were it to be challenged in a court of law

scottalanmiller

@julian said in Make cookies opt-in?:

@scottalanmiller I agree, but I don't want to find out what would happen were it to be challenged in a court of law

True, but the court case in question is about a pre-checked cookie box (implicit acceptance) rather than an explicit acceptance. Different than what is being discussed here.

Daniel Furth

@julian Is the new cookie feature already released? As far as I can guess from what I see in user and admin frontend, it is still only informational?

julian

@Daniel-Furth Yes and no. The cookie consent banner is still purely informational, but we no longer store cookies for anonymous users except for one case:

If an anonymous user stumbles onto a restricted page (e.g. /unread), they will be redirected to the login page. This saves their previous page so they we can re-direct them back to that page when they complete a login.