Knowledgebase

Portal Home > Knowledgebase > Articles Database > UK Cookie Law Compliance with PHP Sessions


UK Cookie Law Compliance with PHP Sessions




Posted by adamhahnderson, 05-17-2011, 04:49 PM
As some of you may know, the UK has passed a law requiring informed consent for any cookie to be stored on a client computer when they visit your website. Unfortunately this seems to also encompass PHP session cookies. I have no desire to debate the pros vs cons of this law, however I do have a rather interesting task that I am trying to accomplish. Unfortunately, in my case, it is not possible for me to modify the source code of my website billing application. Thus, URL based sessions are out of the question. My goal is to rewrite the PHP session handler to be able to uniquely, securely, and persistently identify visitors to the website, and to store session data for each visitor. My initial idea is to store session data as a serialized array inside a file, relatively similar to existing session handling. The file would be named with the MD5 hex checksum of the concatenation of the User Agent and IP address. I understand that this is potentially unsecure, but it is the best that I have come up with. Any ideas?
Posted by ValcatoAdam, 05-17-2011, 07:16 PM
User agent plus IP address really won't be unique enough, and it would make it very easy to hijack someone's session on an open wifi network. Have you considered appending a unique session ID to the querystring instead of using cookies? (Assuming that isn't also covered by the law.)
Posted by adamhahnderson, 05-19-2011, 04:50 PM
No, you can use URL based session IDs without violating the law however it is something that I wish to avoid. URL query strings are not always preserved between visits to the website and thus defeats the purpose. User agent + IP would work on open wi-fi networks as far as determining uniqueness due to the varying nature of user agents on the computers connected to it. The primary problem is determining uniqueness for business networks where all the computers likely use the same gateway IP address for HTTP traffic and all of the computers are configured identically. In those cases, relying on the user agent and IP would not get me the result I am looking for. This is for storing simplistic non-authenticated user preferences. If the user is required to log in, then they can agree to the T&C which say I am giving them a cookie to store the information. I am not particularly concerned about someone hijacking a pseudo-session that only controls a user color scheme or language preference.
Posted by ValcatoAdam, 05-20-2011, 06:14 AM
Ah, in that case then I can't think of any other way you could store the preferences. Could you maybe display a message asking for permission to store the cookie the first time the user changes their preference? (You might have to switch from using PHP's built in session management to setting the cookie manually in that case though.)
Posted by adamhahnderson, 05-20-2011, 04:00 PM
Any new visitor would need to be immediately prompted for this information should they choose to visit my website. In my personal opinion, this is relatively annoying and it is something I am looking to avoid. Additionally, users which decline would be prompted every time they visit my website. This would get relatively annoying after a while. In any case though, I made this post in the hopes that some of the WHT community might have some better suggestions beyond User Agent + IP checksums, and it seems that is really the only option.
Posted by sam0, 05-21-2011, 05:59 AM
If you're only storing data such as colour schemes or language then the useragent+ip or even just ip method would be fine IMO, if you wanted to make it even more secure you could use js/ajax to get more identifying data such as screen resolution, obviously this wouldn't be suitable for any kind of secure data.
Posted by Longbow-, 05-21-2011, 07:44 AM
You do not need consent if the cookie is 'strictly necessary': Under the ICO recommendations, billing applications, including most login systems, would be classed as necessary: So if it is just billing software, I would leave it as it is.
Posted by fedupwiththenorm, 05-28-2011, 06:09 PM
Could someone point me to the UK law requiring this information?
Posted by quantumphysics, 05-28-2011, 06:11 PM
Does this only cover browser cookies? Flash LSO? Silverlight isolated storage? HTML5 local/session storage?
Posted by web-project, 05-28-2011, 06:20 PM
most stupid law I ever heard, next will be charge per email. http://www.t3.com/news/uk-websites-h...kie-law?=56941 http://localgovernmentlawyer.co.uk/i...sk-articles&q=


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Server slowing down (Views: 492)
Services stop responding, but server responds to ping :( (Views: 459)
Trying to find a cause of some phishing/malware uploads (Views: 522)
ivhosting.com (Views: 473)
Windows and Linux Reseller Hosting? (Views: 457)

Language: