Jump to content
Larry Ullman's Book Forums

Recommended Posts

I need to create a modal dialog plugin that enables visitors to opt in to allow cookies. If the user opts out then he can't access the part of the site that uses cookies. If the user opts in, on subsequent visits the opt in box is not displayed. If cookies are not used then the opt in box is not displayed.

 

I think(?) I can do most of this but do not know how to detect if a site uses cookies. I was thinking that I may have to create a front end to allow the website owner to define what cookies the site uses. but is it possible to dynamically detect if a site uses cookies and how would you do so? Also if you have any suggestions re creating this plugin, please post them. Thanks.

Share this post


Link to post
Share on other sites

It's kind of ironic, but in order to remember that a user doesn't want to allow cookies you have to actually use a cookie.

 

You can detect the absence of cookies from both JS and PHP, but since you're on the JS board, I'll assume that you want to use JS to do this.

The easiest way to test for the absence of cookies in JS is to check the length of the document.cookie property.

For example, place the following in your JS:

 

alert(document.cookie.length);

 

If 0 is alerted, then no cookies are (currently) being used. Otherwise, 1 or more cookies exist.

I could explain how to parse and edit cookies here, but it's actually kind of annoying to do in JS, and Larry already talks about this in his JS book, not to mention any number of good resources online.

 

If you want to got the JS route, please check out an appropriate resource.

My personal recommendation though would be to use local storage (which is only supported in HTML5), which has a much more powerful, secure and easy-to-use API than cookies in JS.

 

Also, you can manage cookies in PHP, which is a lot easier than JS cookies. If you want to avoid using cookies, you could use sessions instead, which are stored on the server. Please note though that all sessions implicitly create a cookie on a user's machine so that your script knows which session data on the server to associate with which user.

 

Basically, if you want your site to remember anything at all, you're going to have to store some sort of information on the user's machine. Honestly, I don't think it's necessary to tell the user about this though. There's no legal requirement, and users only seem to mind the kinds of cookies that might hold onto personal information, which you can ask them about, and then use a single cookie as a flag variable to remember the user's choice.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks for the reply. I agree with most of what you write regarding use of cookies... however a new EU cookie law is about to come into effect and certain companies need/want to be seen to comply.

 

I'm actually more comfortable using PHP than JS and I have some experience with setting and using cookies on my own sites but not creating a plug in to detect cookies on another site so any suggestions are much appreciated.

Share this post


Link to post
Share on other sites

As far as I know, it's not possible to detect the cookies being set on another site unless you get some sort of consent from that site and they provide some sort of API for accessing that information.

For example, Facebook does that, which is why other sites can detect whether you're logged into Facebook or not, etc.

 

If that EU law does become a reality, and it shakes things up that much, I imagine that all the main browser makers will be compelled to comply, at which point, other options will present themselves, but as of now, you can't readily access the cookie information set by another site.

Share this post


Link to post
Share on other sites

Apologies if I have inadvertently miscommunicated the new EU cookie law - it "requires websites to obtain consent from visitors to store or retrieve any information on a computer or any other web connected device, like a smartphone or tablet".

 

The plugin I'm creating will be implemented on several different sites, so I'm considering different options for determining what/if/how many cookies are being used, to ensure the plugin can be implemented easily.

 

The HTML5 local storage option is attractive for new sites but currently many users are still on IE7. Also a lot of sites use cookies for analytics.

 

Anyway - I just bought this book and am looking forward to its arrival. From the comments on this forum, it sounds like it lives up to the standards Larry has set with his other books.

Share this post


Link to post
Share on other sites

Well, like I said in my previous post, regardless of what option you go for (even sessions), a cookie or some sort of information will be stored on the user's local machine.

There are two ways around this, although neither are ideal for what you're looking for, I think.

 

One is to append the session UID onto the end of the URL for all relevant pages on your site. However, this is actually less safe that having that info stored in a cookie.

The other is to force the user to log in to your site in order to save ALL of their data in a DB, but then, you're essentially forcing your users to register with your site, etc. just to save some personal settings.

 

Truth is, I don't know anything about the EU law, but if it's really so dumb as to say that ABSOLUTELY NO cookies can be saved on a user's machine without due warning, well then, pardon my French, but it's dumb as hell.

 

Sorry, didn't mean to get all worked up there, but I highly recommend getting the details of the law before you worry about cookies to this level.

 

As a random side note, you can easily test whether local storage is enabled in a user's browser, and use it if it is, and use a session/cookies if it's not. That might be the most ideal solution.

Share this post


Link to post
Share on other sites

You can imagine that the debate over this issue is huge in Europe and as 26 May grows ever closer so the debate and anxiety about compliance increase. Ironically most people don't know about this new law and come 26 May when dialog boxes and warning bars start popping up on sites, those who never knew or cared about cookies may get concerned.

 

My question is not about using or / not using cookies - I do know that information will be stored on the user's machine and the user can disable cookies himself if he chooses. i'm not necessarily looking for ways round the storing of information. The client has several sites that he just wants to drop in a plugin with minimal effort.The plugin will inform the site visitor that cookies are being used - a modal dialog box that asks the visitor to opt in or out. If the site visitor opts in then all is hunky dory and a cookie gets dropped on his machine to not display the dialog box on future visits. If the visitor opts out, well I'm still waiting for the client to decide what he wants to happen. What would you do?

Share this post


Link to post
Share on other sites

If the client doesn't allow cookies, then you pretty much have no choice but to give them the dialog box every time.

If I were you, I'd do two things:

 

1) Get the details of the EU law ASAP (I'm actually planning on doing this myself this afternoon because you've piqued my interest).

2) Spread the word about the law. In other words, spread the truth about the law, and perhaps get people to oppose it. How do you think SOPA got shot down in America? No less than Google and Wikipedia boycotted the heck out of it till everyone in the world knew about the stupidity of the US government.

 

Anyway, I'll try and look into the details this afternoon and get back with you.

Share this post


Link to post
Share on other sites

margaux, I spent a couple of hours researching the new EU cookie law today, and my conclusion is this: It's super vague, as if it were written by a bunch of politicians/lawyers that don't understand the first thing about technology.

 

I suspect that the law was left vague on purpose so that each country in the EU can decide at a later time exactly how they want to interpret the law. The good news is that I think you can use this vagueness to your advantage.

 

For example, if you use only sessions, then the only "cookie" that will be stored on a client's machine by your site will be a file that contains the random session UID for your site. While this is technically a cookie, I honestly don't think that the politicians considered this when ratifying the law, and from what I can tell, the law is designed to notify users about cookies that track their online behavior, which is not the same as a session UID cookie.

 

Furthermore, there is the issue of enforcing this law, and I honestly do not suspect that they will be able to get any sort of system set up to accurately track all this cookie info. And even if they do get even remotely close to doing so, a site like yours (if it's purely relying on sessions) will be so far down their priority list (if your site even shows up on their radar in the first place) that I don't think you have to worry.

 

Point being, if you stick with sessions and all persistent data is used purely for making the user's browsing experience better, I seriously doubt you will ever be noticed, much less get in trouble for not notifying users about the "cookies" being used on your site.

 

That's just my two cents though.

Share this post


Link to post
Share on other sites

I appreciate your taking the time to look into the law and to suggest ways around it but I think you're missing the point of my question. I am not trying to get around the law and it doesnt matter what my opinion is - I'm trying to give the client what he wants.

 

He wants me to build a plug in to drop into his websites. On arriving at the site, the visitor is presented with a dialog which explains what cookies are used and why, and asks the user to opt in or opt out. If the visitor opts out, he can still browse around the site but with cookies disabled - how do I dynamically disable the site's cookies? would this be easier to do in php or javascript?

Share this post


Link to post
Share on other sites

It'd be easier to dynamically disable cookies from JS, because with PHP, you'd have to reload the page based on the user's response.

Anyway, you don't really want to "disable" cookies, you simply want to check what the user chose, set the user's choice to a flag (Boolean) variable, and if they don't want cookies, simply do not perform any operations that involve setting or referencing cookies. It's that simple.

Share this post


Link to post
Share on other sites

Are you sure it's cookies and not global cookies they won't allow? Jon talked about "tracking users online", which is what a super cookie does. Normal cookies do not do this. I've seen debates on the use of super cookies, but none on normal ones. From a legal perspective, I also believe the law is about personal information and not plain settings. The reason behind this must be to secure the anonymity of user online, not to prevent basic settings from being stored. Just some thoughts.

 

Glad Norway is not a part of EU...

Share this post


Link to post
Share on other sites

I am not very experienced with javascript so please forgive the basic questions.

 

do not perform any operations that involve setting or referencing cookies

I know nothing about the website which is going to use this plugin, so how do I get it to not perform operations that involve cookies?

Share this post


Link to post
Share on other sites

Antonio, what's the difference between a "cookie" and a "super cookie"? I don't even know. Is that an official distinction that's made?

 

From studying the EU cookie law as best I could yesterday, what I could surmise was that it's very vague and makes no distinction between the various types of cookies out there. At the same time though, it did specifically state that the intention of the law was to notify users of cookies that track the user and use personal info about the user.

 

I suppose that over time, various countries in the EU will iron out the details of the law. I can only hope that in time, judiciary restraint is shown with the law, and at least some modicum of sanity is brought to this insane law.

 

I really feel like the Internet used to be like the wild west, but now it's slowly being reeled in and being more strictly controlled. Darn shame, too!

 

margaux, to answer your question, as the plug-in maker, it's not your responsibility to make the users of your plug-in (i.e., the developers of the site) properly avoid all cookie operations, that's their responsibility.

 

Basically, when you design any sort of JS library/API, your main goals should be the following:

 

1) Make sure the code works the way it's supposed to.

2) Properly document the library so that anyone that knows nothing about your library can quickly drop it into their code and use it.

 

Regarding the second point, it's really up to you to decide how you want users to use your library, but my thought process was that your library would automatically prompt the end users (the people surfing the website) with a prompt, and based on the choice they make, set some sort of flag variable in a global object that you created. From there, you need to instruct the developers using your library that they need to first test the value in that flag variable before performing any cookie operations. The code below is an example of what I mean. Note that I'm using localStorage, and not cookies, because the JS "API" for cookies is annoying, confusing and tricky to use.

 

Before

localStorage.name = user's-name-here;

 

After

if (cookieDetector.cookiesAllowed) {

 localStorage.name = user's-name-here;

}

 

In my example, I'm assuming that your library contains the global cookieDetector object with a Boolean property called cookiesAllowed, which is set based on the end user's choice.

 

Well, hopefully that'll get you started.

As a side note, if you're not familiar with JS, taking on a project of making a JS library might be a bit difficult.

Given that this law is going to affect the whole EU, I imagine there are already similar libraries available, which you may want to study in order to design your own library for your client.

Share this post


Link to post
Share on other sites

Yes, there are distinctions, but I cannot guarantee the names I used are what they are known as.

 

It's mainly the large companies that have gotten criticism for this. Sites like google, and several more I cannot remember, was caught tracking the user's activity online even when they where searching other pages than their own. This is an article about this from a respected norwegian information technology website. I looked it over with google translate now. It works fine to get the essence:

 

"Third party cookies" is the name used at digi.no.

 

http://www.digi.no/876017/nettbrukere-spores-med-%ABsupercookies%BB

Share this post


Link to post
Share on other sites
my thought process was that your library would automatically prompt the end users (the people surfing the website) with a prompt, and based on the choice they make, set some sort of flag variable in a global object that you created. From there, you need to instruct the developers using your library that they need to first test the value in that flag variable before performing any cookie operations.

this was my thought process too and I've put together a script that does that (I may ask you for help turning it into a plugin). But the guy I'm doing for this says it is possible to disable the cookies for the website that the plugin is used in. Not that I want to do this but the only way I can think of is to get document.cookie, parse through it for each occurrence of expires or max age and overwrite it - is that feasible? I was hoping this could be a learning experience for me but this is not the kind of programming I like doing.

 

"Third party cookies" is the name used in the UK and there is a confusion over which types of cookies are allowed. Some say cookies used for online shopping are okay because clicking 'add to cart' is complicitly giving consent. Others say it is for all cookies.

Share this post


Link to post
Share on other sites

Yes, you can easily scan through document.cookie and overwrite the expires field for all the cookies if you want. That is indeed easy to do.

I recommend doing a quick Web search about cookies in JS, which should turn up any number of articles for parsing and deleting cookies.

You can very easily write a function that would do what you want.

Share this post


Link to post
Share on other sites

Thanks for the reply. I agree with most of what you write regarding use of cookies... however a new EU cookie law is about to come into effect and certain companies need/want to be seen to comply.

 

sorry , I had to reply to this , firstly you need cookies enabled in your Browser to successfully navigate almost every website on the Internet including Google

 

what is this EU cookie law , is the default for everyone to browse the internet with cookies disabled which means not being able to really Browse at all , Its gone too far this EU thing , controlling every aspect of peoples lives , no doubt the eurocrats thinking up these laws have no idea of how websites and scripting languages work.

Share this post


Link to post
Share on other sites

No, it's not that extreme, mrRon, although the laws were admittedly various ambiguous at first.

Larry recently made a good post with recent and relevant links at the bottom of the following thread:

http://www.larryullman.com/forums/index.php?/topic/1336-ie10-and-tracking-cookies-and-eu-legislation/#entry11588

 

Please check that out for a more complete explanation.

Share this post


Link to post
Share on other sites

Larry recently made a good post with recent and relevant links at the bottom of the following thread:

http://www.larryullm...ion/#entry11588

 

 

yes I read the article within the post . here is a quote from it

 

"here’s the bottom line: under the rules, which cover the whole of the European Union, websites must ask visitors for their consent before they can install most cookies."

 

This is ridiculous as it would require a pop-up or something on almost every website in the "world" preventing immediate surfing of that website until consent has been given by the visitor to allow information to be stored on their browser.

 

It doesn't make any sense why they would want to do this , it seems to me to be a bunch of people in Brussels with nothing better to do than to sit around making peoples lives as miserable as possible

 

wait and see next they'll be controlling the type of content you are allowed to download and eventually what Browser you use !! you might not think it , but this is facism at work .

Share this post


Link to post
Share on other sites
And third, not all cookies are subject to the rules. Data that’s considered necessary for the basic functioning of the website — the session cookies used for tracking a basket of goods up to the checkout, for example — don’t require consent, because it’s implied by the simple fact they’re trying to use the site in the first place.

 

I would argument that settings fall into this category, given that the cookie is only created following an action done liberally by the user of course. The same argument can be made for a cookie created after a user clicks a "remember me" check box upon login. I may be totally wrong here, but the end goal is really to prevent a website from saving personal information without communicating why and how this is done.

 

What do you think of the examples provided? Do you agree, folks?

Share this post


Link to post
Share on other sites

I agree with you, Antonio. The law mainly seems to focus on third-party cookies designed to collect lots of personal information to make better YouTube recommendations, etc.

 

As the article Larry linked to stated, if a cookie is central to the functioning of the site (e.g., for a shopping cart), you do not have to get consent from the user. In other words, I don't think this law will affect most sites.

 

Also, mrRon, I do agree with you in that the Internet is slowly being reigned in by the governments of the world. They were slow to figure it out, but now that they understand the power of and the effect the Internet has on people, they're very quickly trying to break it up and control it.

Share this post


Link to post
Share on other sites

I have three thoughts. First, as is often the case, I think governments/bureaucracies are trying to address a legitimate concern and have come up with a rather blunt, imprecise law for doing so. But, still, a reasonable interpretation of the law suggests that the law is not entirely unreasonable.

 

Second, I totally disagree with MrRon's assertion that "you need cookies enabled in your Browser to successfully navigate almost every website on the Internet including Google". If cookies are required to navigate a site, that site is doing something seriously wrong. Yes, cookies can be used to improve my experience, but if I'm not logging in (and a few other similar examples), cookies are absolutely not required. I highly doubt cookies need to be required by half the Web sites I visit every day, if not a higher percentage. The suggestion that cookies are required "to successfully navigate almost every website on the Internet including Google" demonstrates a lack of understanding of cookies and Web development in general.

 

Third, I think equating this with fascism, or even making that association at all, shows a complete lack of understanding of what fascism was. This law, flaws or not, is about consumer protection. Suggesting it's fascist, or on the road of fascism, is absurd, and I cannot take seriously the arguments of anyone who would suggest otherwise.

  • Upvote 1

Share this post


Link to post
Share on other sites

If cookies are required to navigate a site, that site is doing something seriously wrong.

 

what about all the shopping carts etc that use php sessions which store the session reference on a users browser before a user has even registered an account or logged in

 

but apart from this how do you police the new laws ,

 

I mean if I live in the USA or somewhere outside the eu , and I access a website hosted on servers within the EU that require me to accept cookies , do I have to be notified ?

 

If my website is hosted on servers located outside of the EU but I live in a country within the EU , must I notify people they need to accept cookies for a particular action .

 

its all so vague and really cannot be policed , again more wasted money on eurocratic decisions.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...