Ganfyd:Cookies

From Ganfyd

Jump to: navigation, search
LogoWarningBox4.pngThis site will have put third party cookies on your computer unless you took prior precautions not to allow this. Many browsers will allow you to delete these cookies. Some browser add-ins such as NoScript in its default configuration will block the third party cookies this site uses.
  • If you are just visiting the site, you can disable cookies in your browser without impairing your individual immediate enjoyment of the site.
  • To log in you must allow site cookies.
  • If you allow cookies you contribute to our ability to improve the site but will be allowing third party tracking cookies that tell us pages visited recently on the site. We have no other way of identifying currently popular pages
  • We have not yet implemented code to honour do not track requests for technical reasons.

Contents

Cookies

Ganfyd uses cookies (HTTP cookie) to allow site functionality and monitoring of activity on the site over time. These are both interpreted as storing of data that is necessary for technical reasons. For example a login will set cookies and administrators of the site use cookie information to prioritise page accuracy for the most popular pages at any one time. Ganfyd can not disable the cookies it uses, but you may, if you wish, use the site with software that prevents the use of cookies. Privacy setting options in most modern browsers allow you to block third-party tracking cookies. Blocking third party cookies on GANFYD will not impair any one off individual user experience as it only impairs the development of popular pages on the site.

The cookies that facilitate interaction with a user, particularly a logged in user are provided as part of the functionality of MediaWiki, the open source software that this wiki runs on. These cookies may allow personalization for a logged in user. Third-party cookies provided by Google Inc are used to monitor site activity and have helped in page development.

Definitions

A HTTP cookie is a piece of text data (file) stored by a website within a browser, and then subsequently sent back to the same website by the browser. Cookies were designed to be a reliable mechanism for websites to remember things that a browser had done there in the past, which can include having clicked particular buttons, logging in, or having read pages on that site months or years ago. Typically, they contain at least two pieces of information: a site name and unique user ID. Other text may be appended but is not interchanged externally once created. However what was created might have been sent from the server so the server can cross reference back using the unique user ID.

Session cookies

Are text files that allow a site to link the actions of a visitor during a single browser session. They are not stored long term and are usually considered "less privacy intrusive" than persistent cookies.

Persistent cookies

These remain on the user's device between sessions and allow one or several sites to remember details about the visitor. They may be used by marketers to target advertising or to avoid the user having to provide a password each visit.

First-party cookies

A cookie is classed as being first-party if it is set by the site being visited. This is termed the domain, which can also relate to subdomains. It might be used to study how people navigate a site.

Third-party cookies

It is classed as third-party if it is issued by a different server to that of the domain being visited. It could be used to trigger a banner advert based on the visitor's viewing habits.

Potential problems

These mainly relate to tracking cookies and especially third-party tracking cookies that have been commonly used as way to compile long-term records of individuals' browsing histories. It is not known if the third-party tracking cookies used on Ganfyd could be used in this way as Ganfyd has had no control over their content and the way they have actually been used, independent of why they were installed on the website to monitor usage. It is suspected that users have minimum to fear in this regard as the third party chosen by Ganfyd, Google Inc, would suffer legally, reputationally and commercially if it failed to comply with European privacy regulations. However it has been fined by regulatory authorities for failing to respect privacy settings[1] so nothing is guaranteed.

Technical

Ganfyd specific

Paradoxically the only way to easily remove a default message on cookies to stop it annoying users is to set a cookie !. In any case since we rely on external software and modifying this software to create a persistent cookie is not trivial and would have to be done at each upgrade for the moment we have a persistent message on cookies.

  • The Wiki cookies are :
    1. wikidbLoggedOut - contains time logged out : 2 day expiry
    2. wikidb_session - login session current : expires end session
    3. wikidbUserID - numeric id if you log in : 1 month expiry
    4. wikidbUserName - your log in name : 1 month expiry
  • The third party cookies are (more details at Google analytics cookies):
    1. __utma - captures a lot of time related activity : 2 year expiry
    2. __utmb - captures some time related activity : Day expiry
    3. __utmc - session data : Session expiry
    4. __utmz - captures refer url : 6 month expiry

Wider context

A definitive specification for cookies was published as RFC 6265 in April 2011. Browsers are designed to handle cookies as securely as possible. It is recommended on general grounds that you use Ganfyd with an up to date browser as historically some browsers had problems in how they handled cookies. Browsers are now designed to cope with cookie lengths of up to four kilobytes, and at least 20 cookies per server or domain.

Cookie attributes

Cookies have a name–value pair (cookie crumb), but HTTP servers can also set several other cookie attributes:

  • Cookie domain
  • A path
  • Expiration time or maximum age
  • Secure flag
  • HttpOnly flag.

Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.

Do Not Track

As of 2012 there is no agreed standard although the major browsers will all have implemented this feature by year end. The Website DoNotTrack provides more details. Microsoft has a test page which illustrates the multiple different implementations that exist. We would have to alter our wiki PHP code and in the past we have run into upgrade issues when we have done this. Reference server side code exists.

Legal

Europe

Ganfyd is hosted in Europe. The 2002 European Union telecommunication privacy Directive contains rules about the use of cookies. Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if:

  • The user is provided information about how this data is used;
  • The user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule.

UK

The UK law changed on 26 May 2011 with implementation on 26 May 2012. Guidance based on these laws says:

  • Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
  • If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
  • You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.

To comply with this requirement a default site notice about cookies was added to every page on 25 May 2012. We apologise if this impairs the user experience for those more used to accessing web pages from other jurisdictions.

References

Personal tools