Cookie Consent Module....

I installed it, then it logged me out of the CP and I can’t get back in unless I manually remove the rows from the ext and mod tables to uninstall it.

I see:

The following errors were encountered cookie_consent_required Return to Previous Page

Yep- check the readme- once it’s installed? It won’t let you login (front or backend) unless you have a consent cookie.

What you’ll want to do is put some way to set that cookie on the site.

So for the login form(s):

<input type='checkbox' name='cookie_consent' value='y'/>  <span  class="alert">Allow Cookies</span>

Or you can use the module tag- show the ‘set cookie link’ and have the cookie added that way.

But yes- once installed, if that cookie isn’t set? No cookies will be set and no login allowed without that cookie (or a post value indicating the cookie should be set).

Make sense?

That would require editing the CP login form, right?

Why not just add this to the install method:

$expires = 60*60*24*365;  // 1 year
$this->EE->functions->set_cookie('cookies_allowed', 'y', $expires);

I would think anyone with the ability to install a module would inherently accept cookies?

Just my 2p:

Personally I’m not sure why this module is enabled at all for the admin login page. As Brian has quite rightly said, it would mean that you have to either a) edit the CP login form (not ideal) or b) visit the front-end of the website at least once and/or click the consent link before you could login to the admin end of your own website.

I always imagined this would be a front-end only module, and I’m not sure I can see the logic behind it having anything to do with CP access.

I would think anyone with the ability to install a module would inherently accept cookies?

I would think that anyone with the desire to login to the back-end of the website would inherently accept cookies that are “essential for the website to work”.

Thanks,

Rob

Ok, this is kind of annoying. I cleared my cookies yesterday and now I cant login to the CP. Its a new site setup so I have no front-end login form. As Rob mentioned I feel like the CP should ignore the cookie settings, or the form template needs to have the hidden input added to it with an additional checkbox or message.

On a side note this doesn’t appear to do any geocode lookups to determine if the user is even in Europe, so when installed a US user would have to basically accept the EU terms?

The cookie_consent_lang.php file is using the deprecated file name format.

As a braindump, maybe the module could have a couple of optional settings:

1) Enable cookie control for back-end (i.e. it shouldn’t be enabled for the backend by default, and if this was enabled, a checkbox on the login page should be added so that a user can click ‘accept cookies’).

2) Enable geolocation, there’s already the IP to nation module, so this would have to be enabled, but then it would only show the tags if the user was inside ‘the EU’. Although have fun nailing down which countries exactly class as ‘the EU’. On second thoughts, maybe scrap this one 😛

Cheers,

Appreciate all the input, folks. Here are my thoughts on it:

1. The module was designed to fit the strictest interpretation of the privacy law(s). I can’t imagine why anyone with access to the CP isn’t implicitly granting consent and if you don’t have cookies enabled, none of the flash messages (at the very least) are going to show, effectively breaking a pretty critical part of the backend. And thus- those cookies are “essential for the website to work”. Are the strictly essential? Well- no, cause we didn’t use them to show messages in 1.x and I’m sure there are ways we could recode things to show messages in a different way without using cookies.
2. Geolocation? I really thought about it- given the IP to Nation module, it wouldn’t be hard to add. But after a lot of searching around, I never was clear on whether it would be legal to skip non-EU browsers. So again- going with strict interpretation, I didn’t put it in there.
3. There are solutions out there that are less strict, do include geolocation checks, etc. But I didn’t take this as a definitive interpretation of the law unless I could actually find it endorsed on a government website. And the government websites? Weren’t all that definitive.

So- yes. It is annoying (i.e., nonsensical) to have to explicitly allow a cookie in order to login- particularly if you don’t have the form tweak setup yet. But tweaking the form is easy- it doesn’t require a hack (you can make a new theme with a single view in it)- you could even make the consent field hidden or checked by default at your discretion.

I will update the docs to really re-enforce what’s going to happen once the module is installed- and maybe provide a downloadable theme with the backend login page already modified. But I went with a really strict interpretation of the law- and adding support for it via the addition of hooks rather than altering the core. One of the goals of the ‘hook’ approach was to allow for different (i.e. less strict) interpretations of the law.

All that said- Brian? I’m seriously considering adding the cookie automatically to whoever installs the module. Especially if I can tweak the language a bit to make it clear that’s what’s happening.

Keep the comments coming. Just keep in mind- the module is meant to meet a strict interpretation of the law.

Hi Robin,

I understand where you’re coming from completely, and the fact that each country is interpreting the directive differently doesn’t help. We’re UK based and they’ve really dropped the ball here re: making it a law punishable with a huge fine (in the most extreme cases), but still, it is a massive headache.

I really don’t feel comfortable having to change the CP login page for every single client site that we have, especially after having to upgrade a lot of them too. Is there no way you could just add a conditional type thing to the default CP login page that would add a checkbox and ‘accept cookies’ if the module was enabled (I wouldn’t even press for the option to be added in the module settings, I promise)? Pretty please? With a cherry on top? :D

Anyhoo, at the very least, a +1 for Brian’s auto-cookie addition to the module installer.

We need some more UK/EU bods to chime in on this thread methinks..

Thanks,

Yea- the more I read up on the law, the more I was really really glad I don’t have to design it into websites I build. The law seems designed to annoy people. I mean- good intentions, but the application is just ick. It really should be something handled in the browser.

And I’ll go take a poke- see if maybe I can do something with a setting to add the consent field to the backend. I do want to keep that flexible- as arguably there should be a link to a privacy policy on that page describing all of the cookies and what they do. But if it’s a setting and option and the docs are clear, that flexibility is still there.

Thanks Robin, honestly, we would really appreciate it!

Cheers,

Here are some changes I made:

views/account/login.php - Add just above the Login submit button

<?php if (array_key_exists('cookie_consent', $this->addons->get_installed())):
   $this->lang->loadfile('cookie_consent');
  ?>
   <p><?=form_checkbox('cookie_consent', 'y', '', 'id="cookie_consent"')?><span><?=lang('cookie_consent', 'cookie_consent')?></span></p>
  <?php endif;?>

And add to the lang file

'cookie_consent' => 
'I accept', // something more appropriate here

This will set the cookie when you login to the CP.

Yep- nice way to add to the view (could check for cookie and only show if not set as well)- the problem being I’d strongly prefer this work as any other third party add-on - i.e., not be in the main view file. Unfortunately, I’m not spotting a great way to do that (aside from adding a custom theme and just having it in there, which is what you’d do with a third party add-on).

Could do it via javascript and session_start hook- and the logic isn’t horrible since JS is required to use the default theme. But let’s face it- that is not a great method.

Right now- considering that instead of simply outputting an error page when backend login is attempted, output a ‘confirmation’ type page saying ‘cookies required’, submit to continue.

It’s still slightly clunky, but may be the best bet. And a moot point for folks who do include the field on the form page- whether through a custom theme or editing the view file directly.

Bouncing it back and forth with devs- I think the ‘js’ addition is bad. So- either leave as is; hard code into existing view; go with intermediary page if not set.

My vote would be that you guys hardcoded into the existing view, second would be the intermediary page: If I understand you correctly, this would just change the login ‘error message’ page for the cookie consent one, with a ‘continue’ button? i.e. you wouldn’t have to go back and login again?

Leaving as it is feels a bit bleh, but that’s just my 2p

Thanks,