Hi guys,
Thought I'd chuck my 2p in. My coffee is still brewing so it's likely I'll put together a better post later!
Session Cookies
----------------------------
Last time I checked the ICO accepted that these were service essential. Their site, in fact, sets a session cookie without permission, tells the user it's happened and asks about the other cookies.
My opinion is that setting session cookies should be OK under law, so long as you can justify their existence (i.e. it's not to track a users clicks etc). I doubt the ICO will pursue anyone for it, but it is a gamble. Whilst I completely agree with the idea that the user has explicitly requested a page, it's an argument you'd ultimately have to make in court!
For that reason, my intention is to provide the Site Admin the option to allow blocking of the session cookie. If I can figure out a way to replicate the functionality of the session cookie without setting it then it's another step forward (no hard ideas yet though). Because for many sites it is service essential, it's been a low priority in all honesty.
Once I've squashed a few IE7 (*spit*) bugs, we'll be launching Virya Cookie Monster later. You can see it in action on
http://www.viryasoftware.com.
To the user, it's largely an altered version of the Kookie Grab module. We have however made a few changes that will benefit the Site Admin (given that they are transparent to visitors.) Some of these, I've seen no signs of others thinking about;
Search Engine Friendly
------------------------------------
The biggest issue I have with a lot of the solutions out there is that they don't discriminate between search engines and real visitors. It doesn't matter if we prevent Google from seeing Google-Analytics code, but it does matter if we are blocking an extension that actually contains content.
To use an example, assuming K2 sets cookies (must check, keep using it as an example!), Search Engine crawlers won't be able to see any of that content as they won't know to accept cookies.
As a side effect of the logic used to identify search-engines, I've also been able to give Site Admins the option to 'deflect' known bad-bots.
Auto-Detection
------------------------
This for us, was a key bit. Based on experience, not every Joomla admin is going to know about cookies, much less which extensions are a cause for concern.
We are going to build a back-end component that will auto-detect extensions and allow the admin to add them to the correct ACL with a click of a button. Due to time constraints (8 days to go!) we decided there wasn't time to get this out before the Law begins to be enforced, so the module comes with a Standalone PHP script that does the same (communicates with the DB on our server).
This is where we
really need community support. There are too many extensions out there for us to add them all ourselves, so the more people who run the script and report cookie setting extensions the better (We'll also be making the API for the DB available once work is complete on it)!
Others
------------
We've also added the ability to select a 'Theme'. At the moment there's Corporate and Fun (the one in use on VS), and you can select from Banner or Lightbox mode (Page Peel should be coming later!).
I'm planning on pushing VCM out of the door today, but have quite a lot to get done first. As much as I hate supporting Internet Explorer 7, I don't think I've much choice in this instance. We also need to address an issue with ecommerce sites.
Chris: I can't say for certain with regards to Joomla, but a session cookie should not be required for
basic sites. Anything where the user might as well be reading a static site (i.e. they can't interact to change things like font-size) shouldn't require the session cookie.
The problem is, web developers have been (rightly IMHO) using sessions to store user preferences for a long, long time. There will be extensions out there that store data in the session because it is the most appropriate place for it. The end result is, if you block session cookies some things may well break.
Security etc, however, shouldn't be an issue on one proviso: if a user logs in, you'll need to work on the basis that they've accepted the session cookie. There's no other easy way around it. You can't tie the login to their IP because they may be behind a proxy (hence every user of that proxy will be 'logged in'). You could perhaps combine IP and UserAgent, but it's a huge risk to take (what if they are on a homogeneous network?).
In all honesty, though, for a lot of sites I think disabling the session cookie will only lead to complaining users. It doesn't matter what the law says, if something isn't working then users will be quite vocal.
Anyway, my coffee has finished brewing and I'm feeling like I may be rambling a little so I'll sign off now!
Ben