Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16176

No persistent cookies without user's consent



      PHPBB forums store multiple persistent cookies without actual need even on first visit without asking for permission before.

      While the forum makes no use of it, persistent cookies could be (ab)used for tracking purposes. This puts PHPBB forums at risk.


      • Use session cookies for the "sid" _session cookie.
      • Do not write persistent cookies before user consent.
      • In the cookie consent request popup, inform about lifetime of a persistent cookie and ask for active confirmation. An OK button is not sufficient, Users must actively make a check mark to express consent. Not my idea, blame the EU. Without consent, do not store persistent cookies.


      EU court decision quote:

      On those grounds, the Court (Grand Chamber) hereby rules:

      1.      (..)Consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user's terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.

      2.      ..

      3.      (..)the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.





            • Assignee:
              Marc Marc
              Knubbi Knubbi
            • Votes:
              1 Vote for this issue
              2 Start watching this issue


              • Created: