We have a website where I store the user's country selection choice. I do not track it from their IP address or anything else.
Plus I use Google Analytics which also uses cookies to store some data. Should I state that GA uses cookies as it a service which I use for analytics?
Now I am confused whether to show a message saying that we use cookies to enhance the user's experience on out website.
Yes you should show the consent even if a third party library uses them (eventually you use that data).
But you don't have to explicitly mention what is stored in cookies.
There are open source multi language alternatives you can easily use to embed the concent into your UI.
Related
I have a website where I don't ask to user any data, I don't create cookies and I have only AWStats available in the cPanel (preinstalled by the hosting mantainer).
Do I still need to show any legal information (i.e. GDPR, privacy policy, cookie policy) or can I omit all things?
Thanks
You don't need to make any mention of GDPR - that's just one of the applicable laws.
If you don't set any persistent third-party cookies and do not use any third party scripts that set third party cookies (like Google Analytics or Facebook buttons), you don't need a cookie pop-up.
Strictly speaking, your web logs may contain personal data in the form of IP addresses and user agent strings. That data can be reasonably kept for a short period, say 10-30 days, for the purposes of combating abuse, but after that you should either truncate logs or strip out data that can be associated with any individual - and this should be mentioned in your privacy policy too. AWStats typically generates aggregate info from raw logs, and that's fine, so long as it does not end up containing data that allows you to identify individuals (for example, don't store GeoIP data at resolution finer than a city).
You should still have a privacy policy - a policy is just that, it's not something visitors need to agree to, it just tells them how you handle their data. If you don't collect data, don't set cookies, don't share with any third parties, then that's what it needs to say. You don't need a separate cookie policy, especially if you're not using them beyond what's "strictly necessary".
Make sure you have set all applicable HTTP security headers, and (if you're not already) you should be using HTTPS, even for a static site.
Run your site through Webbkoll and Cookiebot to check how the outside world sees it.
I'm not sure if this is the right stack to ask this in so if not please let me know!
I am trying to get a handle on what cookies are used on a site and what they are for. When I initially did a cookie scan I noticed a cookie names NID which was set by google.
I have tried to research this cookie and can see it is used by Google for advertising purposes.
But I am confused about why and where this is being set, the site I am looking at does not use advertising anywhere, although it does use embedded YouTube videos.
Can anyone shed any light on when and why this cookie is set?
according to Google
Most Google users will have a preferences cookie called ‘NID’ in their browsers. A browser sends this cookie with requests to Google’s sites. The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language (e.g. English), how many search results you wish to have shown per page (e.g. 10 or 20), and whether or not you wish to have Google’s SafeSearch filter turned on.
For me, the cookie was hammered incessantly by the url https://www.google.com/s2/favicons?domain=example.org Which was being used by CookieBro & FeedBro RSS feeder browser addons for retrieving icons associated with various domains. The cookie can be dropped by either an addon or by google itself.
I used cookie log via cookiebro addon for firefox & chrome to detect these cookies in realtime, its one of a kind. However I did not realize it was cookiebro dropping them until the next step below.
To see what background connection is occuring when these cookies are placed, enter the following firefox url: about:cache?storage=disk&context= and you will see when and where the google url being connected to.
It is said this cookie is for targeting & ADS and the google's settings are integrated to make the cookie inconvenient to delete for Google users.
My question is: I'm developing a website and I want to monitor analytics with Google Analytics, however I've been reading articles about cookies and I didn't realize if I need to program my website with some kind of cookies in order to use google tool, or if I simply don't need to do anything on my website.
Thanks
To do tracking you simply need to insert the code snippet that you can get from the GA admin interface.
However since you are in the EU you need to point out to your visitors that they are being tracked on your web page and that the site uses cookies to do so (and I think you need to provide an opt-out, although that might be a German thing). This is mandated by the European Privacy directive, which is sometimes referred to as "Cookie Law" (technically incorrect, since it is neither a law nor specifically about cookies), so maybe this gave you the idea that you need to do extra programming.
I have to uniquely identify computers that access my website. The only solution i found so far is storing an id in a cookie or something similar to identify the browser but my problem is that you could copy the cookies and use them in another browser. is there any way to detect if the cookie is copied or some better way to identify the computer?
There is no reliable way to uniquely identify a browser, because there is nothing that prevents two computers from having the exact same configurations (operation system, browser, location, cookies, flash configuration, etc).
The best that we can do is to gather as many information about the browser as possible. This is well-known approach called browser/device fingerprinting. Although the result is not perfect, it is quite good. Browser's fingerprint typically includes browser name, operating system, fonts, plugins installed, etc. You can test how unique your browser is using https://panopticlick.eff.org/.
PHP has an array called $_Server which is an associative array with information such as the visitors IP which can be used in conjunction with cookies. JavaScript also offers the "navigator" object which contains information about the browser. You can save that information to a cookie and if it doesn't match with the browser they use on the next visit, it would indicate they are not using the same browser.
I was looking up alternative to cookies and I've read about HTML5 web storage here, and I've read a simpler explanation here but I still don't get how it works fully. Can someone offer a slightly non-techinical explanation so that I can then understand the technical bits. It says about browsers having to store key value pairs but where and how is it stored and why is it inaccessible to other sites? Why isn't it considered just an other form of cookies?
I'm looking for a thorough and complete alternative to cookies; as in if my organisation wants to replace all it's websites from using cookies to say an alternative for say web-storage then can we easily say 'Yes' to that requirement? Let's assume only the latest browsers are used.
How and in what ways does web-storage enhance security when
compared to cookies? Does it have potential to compromise security
in other ways? Is there someone with any real life experiences who
can share the pros and cons?
The differences between localStorage and cookies
Both cookies and localStorage are protected from access by unrelated domains by the Same Origin Policy.
The difference is that localStorage is only accessible through JavaScript, whilst cookies are accessible through JavaScript1 and sent with each HTTP request.
There isn't much of a security benefit of using localStorage as opposed to cookies. The difference between the two is because the goal is different: localStorage can be used for things you'll only use in JavaScript, whilst cookies can be used for storing things you need on the server (as well).
Both can be accessed by anyone that has access to the browser of a user's computer and both localStorage and cookies can be accessed by JavaScript that is executed on the web page. (For the latter, see the exception below.)
You can see this if you enter localStorage or document.cookie in the browser console.
You can set the HTTPOnly flag on a cookie so it isn't accessible through JavaScript.
How to use localStorage
Since there is already a lot of information available on using localStorage, I will just refer to two web sites documenting it:
DOM Storage at the Mozilla Developer Network
Local Storage at Dive Into HTML5
How the data is stored
How the data is stored differs per browser. Below, I give information on how Mozilla Firefox stores cookies and local storage.
Note: instructions on how to find your Firefox profile are available in this article at Mozilla Support.
Cookies
Firefox stores your cookies in your profile folder in a file named cookies.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, moz_cookies.
Table structure
The table is structured as follows:
Table contents
Here is a part of the contents of my cookies.sqlite database:
LocalStorage
Firefox stores your localStorage data in your profile folder in a file named webappsstore.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, webappsstore2.
Table structure
The table is structured as follows:
Structure of the column contents:
scope:
<the domain name in reverse>:<the protocol>:<the port number>
KEY:
The name name of the stored value.
value
The stored value
secure
This column isn't used.
owner
This column isn't used.
Table contents
Here is a part of the contents of my webappsstore.sqlite database:
This is the same as the data that I get when I type localStorage in the console at the web page https://login.persona.org.
Conclusion
As you can see, data from both cookies and local storage is stored by the browser in the same way. If you are concerned about the safety of data that is being stored at the user's computer, localStorage offers no security benefit over cookies.
In fact, it may even be a greater risk, because you can set cookies to expire after a certain time, whilst localStorage won't expire. Thus, data saved in localStorage may remain at the user's computer for longer than if you would have if you had used cookies.
(If, however, you only need to store data for the duration of a single session, you can use sessionStorage instead of localStorage.)
It sounds like you're looking at formulating a company-wide policy with respect to use of cookies in web application development.
As such, for a company-wide policy, be careful to consider not only your typical type webapp where server produces HTML+JavaScript, but also any potential web APIs that company web applications may be publishing. Such web APIs may be for AJAX purposes, but also may be for consumption by other type clients, for example B2B type data feeds, that may rely on some form of persistence on the consumer end. For example a "browser" like Twilio only understands TwiML, as opposed to HTML+JS, and local storage is not applicable there. And if webapp that interfaces with Twilio relies on persistent storage, local storage is not an option (whereas cookies are).
This is not to say that such applications, if such exist or will exist in your organization, cannot be (re-)designed to avoid need for client-side persistence. This is to say that local storage may not necessarily always be available in all contexts to provide alternative to cookies.
Otherwise, user2428118's answer nicely contrasts the two technologies.