问题
I am just looking for some advice on the new UK Cookie Law and how it affects PHP sessions. I understand that you do not need the users to opt in when a cookie is "strictly necessary" and the example given is adding an item to a shopping cart.
I am using similar functionality that remembers what you have stored in a contact form, which I feel is strictly necessary use of a session and therefore no opt in is required.
However the confusion for me arises because I have a session_start(); at the top of each page, which means the cookie is set straight away. Some users will not then go to use the contact form, so this means that the cookie is not strictly necessary for them.
I could remove session_start(); from the top of each page, but this functionality is used throughout a number of websites and it would be preferable if we could leave it in.
Could anyone shed any more light on this?
回答1:
The simple answer is that you're probably going to be okay, the extent to which this law will even be enforced is massively up for debate anyway.
We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action.
There is a balance to be struck though, as not all cookies are equal, and our enforcement approach will bear this in mind.
For example, someone may complain about a cookie placed without their consent, but if it was just used to remember essential details rather than to gather information to be used for marketing purposes, then it may not be appropriate to act.
(Source: The ICO's Dave Evans on EU cookie law compliance)
回答2:
From what I have heard, the ICO is going to be fairly liberal in the interpretation of the law, the most important thing to do is show that you are making changes to comply with the spirit of the law.
I think that as the form is essential to the site, you don't need to prove that it is essential to 100% of users.
In an ecommerce site it is being taken as read that it's ok to have cookies that relate to shopping bag without asking permission, as it is essential to the function of the site, even if a particular user doesnt actually add anything to their basket.
回答3:
No, I think the php sessions donot fall under the Cookie Law. There is are a lot of differences between Cookie and Session.
For example, read here: http://php.about.com/od/learnphp/qt/session_cookie.htm
Also, if you read the law: http://www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1132-implementing-revised-electronic-communications-framework-consultation.pdf
It says,
"The provisions of the amended Article 5(3) refer to any attempt to store information, or gain access to stored information, in a user’s equipment" (pg 57)
So you see, it says "user's Equipment" and sessions are not stored there, they are stored at server http://ejvyas.blogspot.com/2010/02/where-is-stored-is-it-in-browser-or-at.html
回答4:
If you're able to store a PHP session cookie on a user's computer to enable the 'essential' functionality of your website - what stops you then associating additional information with that visitor without their consent/knowledge..? (Apart from it being illegal.)
After all, all the information you store - except the cookie ID which is client side - is kept on the server side and the user can't do anything to view/modify this?
So in short, if the user 'allows' you to store a PHP session cookie on their computer there's nothing to stop you storing lots of other data about their visit? - IP, Browser, OS etc...
来源:https://stackoverflow.com/questions/10399569/is-a-php-session-acceptable-with-the-new-uk-cookie-law