Codeigniter ci_session cookie(GDPR 问题)
Codeigniter ci_session cookie (GDPR problem)
我有一个用 CodeIgniter 编写的网站,默认情况下,它会在首次访问该网站时创建 ci_session cookie。客户请求使网站符合 GDPR。除了 google 分析,我没有添加任何 cookie 或本地存储。我确实向 php 会话变量添加了一些内容,但我认为它不属于 GDPR 范围。
所以,基本上我在网站加载时有以下 cookie:
- ci_session
- google 分析 cookie
我已经知道如何处理 google 分析 cookie,但 ci_session 让我感到困惑。据我了解,在第一页加载时,在客户同意之前绝对不允许使用 cookie。
我的问题是:"What would be the best way to disable the ci_session cookie before a user gave the consent?"
*Codeigniter 版本 2.1.7
GDPR 似乎很奇怪,除了在与持久标识符相关的独奏(背景信息,而不是法律)中提到之外,对 cookie 只字未提。 适用的是欧盟电子隐私指令,最终将被电子隐私法规(“ePR”)取代。 ePD 下的 UK ICO's guidance on cookies 表示:
There is an exemption if:
the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
This means you are unlikely to need consent for:
cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.
请注意,Google 根据此定义,分析不属于绝对必要;不过,这不仅仅是关于 cookie - 要防止的是 未经同意的跟踪 ,其中 cookie 只是实现它的一种方式,并从 [= 加载 javascript 30=] 确实在跟踪,即使他们不设置 cookie(可以设置 GA)。
虽然根本不应在初次访问时设置 cookie,但在获得任何同意机会之前,用于身份验证的第一方会话 cookie 绝对 符合“绝对必要”的条件技术目的,因此首先不需要同意。无论如何,当 window 关闭时,会话 cookie(根据定义)将被删除,但您甚至可以通过在注销时设置 Clear-Site-Data header 来抢占。
参考 CodeIgniter 如何处理此问题,我认为值得提交错误报告或避免调用任何会导致会话在登录前启动的内容。
我有一个用 CodeIgniter 编写的网站,默认情况下,它会在首次访问该网站时创建 ci_session cookie。客户请求使网站符合 GDPR。除了 google 分析,我没有添加任何 cookie 或本地存储。我确实向 php 会话变量添加了一些内容,但我认为它不属于 GDPR 范围。
所以,基本上我在网站加载时有以下 cookie:
- ci_session
- google 分析 cookie
我已经知道如何处理 google 分析 cookie,但 ci_session 让我感到困惑。据我了解,在第一页加载时,在客户同意之前绝对不允许使用 cookie。
我的问题是:"What would be the best way to disable the ci_session cookie before a user gave the consent?"
*Codeigniter 版本 2.1.7
GDPR 似乎很奇怪,除了在与持久标识符相关的独奏(背景信息,而不是法律)中提到之外,对 cookie 只字未提。 适用的是欧盟电子隐私指令,最终将被电子隐私法规(“ePR”)取代。 ePD 下的 UK ICO's guidance on cookies 表示:
There is an exemption if:
the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.
This means you are unlikely to need consent for:
cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website;
session cookies providing security that is essential to comply with data protection security requirements for an online service the user has requested – eg online banking services; or
load-balancing cookies that ensure the content of your page loads quickly and effectively by distributing the workload across several computers.
请注意,Google 根据此定义,分析不属于绝对必要;不过,这不仅仅是关于 cookie - 要防止的是 未经同意的跟踪 ,其中 cookie 只是实现它的一种方式,并从 [= 加载 javascript 30=] 确实在跟踪,即使他们不设置 cookie(可以设置 GA)。
虽然根本不应在初次访问时设置 cookie,但在获得任何同意机会之前,用于身份验证的第一方会话 cookie 绝对 符合“绝对必要”的条件技术目的,因此首先不需要同意。无论如何,当 window 关闭时,会话 cookie(根据定义)将被删除,但您甚至可以通过在注销时设置 Clear-Site-Data header 来抢占。
参考 CodeIgniter 如何处理此问题,我认为值得提交错误报告或避免调用任何会导致会话在登录前启动的内容。