Hey guys,
I was asked by a client about how compliant their Matrix powered site is with the roll out (today) of new cookie laws in the EU.
Knowing Squiz has loads of really NB public clients across all sectors (including government) I was wondering what’s been planned around this? Or if there is any fix to remove the automatic cookies dropped into the browser by Matrix (no matter how harmless they are)?
This is how the ICO see Cookies being handled: http://www.ico.gov.uk/news/current_topics/website_changes_pecr.aspx
More information here:
- http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf[*]http://www.mykeblack.com/seo/eu-cookie-directive
Interesting that the ICO use a cookie to store your preference for cookie, although by that point you have already opted-in.
This does seem like it should be a browser vendor issue; I guess the EU sees an individual agreeing to 'browse' does not justify an innate complicity for their full browsing experience. Telling people a cookie has been set post fact seems impractical, as is asking ever person to agree to cookies at each session, as is setting a cookie to accept cookies.
Even the ICO had to send one cookie to the browser (which they state: "This session cookie is set on a user’s arrival to the site – at which time they’re informed that the cookie has been set – and is deleted when a user leaves the site.")
Anyway, there is one cookie by default dropped by Matrix: SQ_SYSTEM_SESSION - does anyone know what this is 'doing'? It leaves a string on the browser for 48 hours. You get about 6 when you /_admin.
I was looking earlier at some Squiz sites:
SQ_SYSTEM_SESSION Value 5cr63pm0qqlos711sp69dclup6 Host .www.domain.co.uk Path / Secure No Expires Tue, 31 May 2011 16:15:33 GMT
machine-id Value 109.174.149.178%3A1300124884681 Host www.domain.co.uk Path / Secure No Expires Sun, 31 Dec 2023 00:00:00 GMT I think the ICO is rather after the second cookie - personal ID saved over a long period.
Anyway, it would be good to have as much information as possible to at least arm us all when the legal departments start asking questions!
The SQ_SYSTEM_SESSION cookie is the Matrix cookie. It just stores your PHP sessionid so we can store data as part of the standard PHP session system. Once logged in, your userid will be stored in the session file (on the web server) and the cookie tells Matrix where that session file is. If you are not logged in, it normally stores nothing (except the fact you are not logged in) unless implementation is storing values in there, like recent pages viewed or products in your cart.
Thanks Greg. Would it be accurate to describe this cookie as "essential" for the site to operate?
It's essential for particular features to operate. For example, sticky forms, ecommerce and potentially more. Practically, it will vary from site-to-site.
If your site sits in front of a proxy cache (ie. Squid), then cached pages don't send out the cookie or create a user session, even now. A user only gets a cookie when they hit the origin server (Matrix). So for pages that operate fine being served from a cache, you could say they would also operate fine without the SQ_SYSTEM_SESSION session cookie (however, as soon as you navigate to a page that does require a cookie—like a login page, or custom form or something like that—the cookie will need to be set or the feature won't work).
Is Squiz.co.uk behind a proxy cache? I'm still seeing cookies being dropped into the browser etc?
[quote]
Is Squiz.co.uk behind a proxy cache? I'm still seeing cookies being dropped into the browser etc?
[/quote]
Yes, squiz.co.uk is behind a Squid cache. Cookies are sent when you hit Matrix directly (ie. you get a cache MISS on the proxy or hit an uncachable page).