No Code Attached Yet
avatar RichardZimmerEschborn
RichardZimmerEschborn
10 Nov 2022

Sorry for posting here, I did not find an issue tracker for issue tracker!

Steps to reproduce the issue

  • Look at issue #39100
  • The last comment is from @rdeutz that he wants to block @wojtekxtx for 7 days.
  • For two days there was no Add a Comment field for me.
  • At Nov. 10 there is an Add a Comment field again.
  • So I try to take up the discussion.

Expected result

I am able to store the comment I wrote.

Actual result

Get following messages when clicking Post Comment:

Submitting Comment ...

Invalid response received from GitHub.

System information (as much as possible)

FireFox on Debian Linux

Additional comments

Logout and login from GitHub again, still same behaviour!

So that it does not get lost here the reply I wrote:


#39100
@HLeithner

You wrote:

within the gdpr you have to inform the user anyway about the session cookie, adding the language cookie as technical cookie isn't much extra effort.

I think that exactly is an issue

For my understanding a session cookie is not needed for public visitors which just surf and read the content and are not logged in for contributing in any way.

Therefore I would suggest that in an upcoming release there is a global option to disable the creation of any cookie for public visitors of the Joomla! website.

Having no cookies at all means, we do not need to inform end users about it. It would be good enough to state in the privacy policy that there is no data collected and that there are no cookies stored for public visitors.

Of course, if a user then registers, he needs to get informed about cookies. Even then he should have the option to accept technical cookies only or to not accept any cookies at all. The last option would force him to validate again and again for every page he is accessing since he is not known to the system.

Tell me if I am wrong.

@Hackwar

The argument that I am able to implement anything with my own code is polemic.

Yes. I can implement anything myself, I could even program my own content management system, but

  • Do I want that?
  • Do I have the time?
  • Would that bring Joomla! any further?
  • Why should I want to invent the wheel again, instead of helping to optimize an existing wheel?
avatar RichardZimmerEschborn RichardZimmerEschborn - open - 10 Nov 2022
avatar RichardZimmerEschborn RichardZimmerEschborn - change - 10 Nov 2022
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 10 Nov 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 10 Nov 2022
avatar ReLater
ReLater - comment - 10 Nov 2022

Concerning the second part: Why again? Everything is said.

It would be good enough to state in the privacy policy that there is no data collected and that there are no cookies stored for public visitors.

  1. It's sufficient to state in the privacy policy that you're site stores session cookies. session cookies do not require consent. These cookies are needed by Joomla at some places even if a user is NOT logged in (just by the way). A technical requirement.

  2. You do NOT need to state in the privacy policy what your site does NOT do.

Therefore my question: You have a privacy policy. You like to have a new setting in Joomla just to avoid 1 additional standard sentence or paragraph in the privacy policy????

I think that that would be a stupid idea! What comes next?

By the way: There is already a setting "Track Session Metadata" in Joomla configuration. This reduces stored session data to a minimum.

avatar HLeithner
HLeithner - comment - 10 Nov 2022

if you are able to create a pr please make a concept how it should work (step by step) and share it with us. If it's conceptional good and possible maintainers will discuss it and give you feedback if we would merge such a pr. (that way would solve you time creating a PR which is not accepted).

Beside that the issue tracker is not broken, the old issue has been locked by robert.

avatar RichardZimmerEschborn
RichardZimmerEschborn - comment - 10 Nov 2022

@ReLater wrote:

It's sufficient to state in the privacy policy that you're site stores session cookies. session cookies do not require consent. These cookies are needed by Joomla at some places even if a user is NOT logged in (just by the way). A technical requirement.

Sorry, but this statement is not correct!

I do understand that Joomla! is using session cookies. But I do not see that it is a technical requirement. I do not see that it is impossiple to program a website in a way that it might be viewed without sessions and cookies. Any simple webserver is able to show pages without session cookies.

To make it clear: I understand that Joomla is using sessions (and session cookies to identify users) as a core feature. This means Joomla! is processing personal data. But that it works like this is a desicion of the developers. It does not mean that it cannot be done without.

Further

The GDPR (in German DSGVO) applies whenever personal data is processed for someone called the controller (in German "Verantwortlicher") (article 4 §7) living in the Europe Union or if a website is aiming at European people (it does not matter if it is paid for or not).

If you read the GDPR Recital 32 Conditions for Consent (in German DSGVO Erwägungsgrund 32 Einwilligung) it says:

Consent should be given by a clear affirmative act ...
This could include ticking a box when visiting an internet website ...
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

This means, that if the end user is not actively confirming that he accepts that he is identified through a session, it is not allowed to do so. And that concludes that Joomla! is violating European law, beause Joomla! starts the session and sets a cookie before the end user has a chance to accept or deny it!

To make clear what we are talking about

GDPR Article 83 §5 states that:

Administrative fines shall ... be given to the following:
Infringements of the following provisions shall ...
be subject to administrative fines up to 20 000 000 EUR ...
the basic principles for processing, including conditions for consent

@HLeithner

Sorry I do not know what a pr is and I also do not know what a PR is.

Can you please explain what you want me to explain step by step? If I can, I certainly will. Thanks.

You wrote:

Beside that the issue tracker is not broken, the old issue has been locked by robert.

Robert wrote, that he wants to lock it for one person, not for everyone. And after that there was no comment form visible. Two days later the comment form is visible again, but after long writing, trying to submit gives a error message without hint what happened.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39185.

avatar HLeithner
HLeithner - comment - 10 Nov 2022

sorry I think I mixed up 2 comment from 2 different persons, I thought you can write php code.

About the session cookie, there is so much discussion which I don't do anymore because if you ask 3 lawyers you get 5 answers. So until due EUGH says what's fact everything else is talk between blind people.

Never the less I would really like to see joomla without session cookie (at some point I already wrote a proof of concept which does 0 database queries, means no session loading). But to be honest it's not so easy, most of the extensions (core and 3rd party) depend on a "user object" which maybe empty but they require it and maybe safe information in the session store. It's hard to detect if it's really needed.

So if some one find all the caveats and remove the user session for public access I'm full in favor for it.

avatar brianteeman
brianteeman - comment - 10 Nov 2022

The only thing worse than a joomla user talking about node is a joomla user talking about the law.

  1. The session cookie does not contain any personal identifiable information
  2. Joomla isn't breaking any law. If you think the session cookie requires consent then it is your site that is breaking the law
  3. The session cookie plays an important role in securing your site. (no I wont discuss it here but it is obvious if you read the code)
avatar RichardZimmerEschborn
RichardZimmerEschborn - comment - 10 Nov 2022

@HLeithner
No problem, I learned so many languages PHP is just not one of them.
There is enough I can do to help. Even without coding. :-)

Well its simply reading the document. Just 99 articles and only the first half is important for this discussion. Lucky that it is not eaten as hot as cooked. (Gives some time to discuss and work on it)

If anybody is interested, this GDPR version is easy to read, switch between German and English and has links to the original papers.

Having no session and no cookies (meaning no personal data at all) would not only simplify the privacy statement but also all the provisions about documenting, processing and handling of personal data.

Maybe the following is an approach to simplify the technical problem

  • Have a global configuration switch to disable all cookies.
  • Have a fake session (lets name it public).
  • As long as there is no session cookie in the end users browser connect the user object to a copy of this fake session.
  • Just add a flag in the session table that it is a copy of the fake session.
  • Do not allow to log on as long as this flag is set.
  • All the other parts could work as they are used to because the copy of the fake session looks like a real session to them. Only without cookie.

If a user identifies himself, then create the session cookie and a real session without the public flag, as Joomla! is used to.

Of cause no other cookies.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39185.

avatar alikon
alikon - comment - 10 Nov 2022

moving in a better place

avatar alikon alikon - change - 10 Nov 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-11-10 19:57:02
Closed_By alikon
avatar alikon alikon - close - 10 Nov 2022

Add a Comment

Login with GitHub to post a comment