Cookies and EU law

[NickW]

I'm writing a site privacy policy and wondered if someone could help me with the following questions regarding cookies please:

What data does osCommerce MS2.2 collect via cookies?

In standard form is this data used only to maintain the customer's orders in their shopping cart?

Is the data only collected after the customer creates an account?

Are there any functional problems if the customer disables cookies in their browser?

Thanks,

Nick

[jpf]

OSC does not "need" cookies - as ALL it stores in it is the Session name, ID, lifetime (default is untill browser is closed...), cookie path and domain. That is all!

FYI the cookie setting code:
setcookie($session->name, $session->id, $session->cookie_lifetime, $session->cookie_path, $session->cookie_domain);

If you don't use cookies then you have to have Session ID or SID in the URL...

setcookie($session->name, $session->id, $session->cookie_lifetime, $session->cookie_path, $session->cookie_domain);

I have herd that AOL users has problems with cookies turned off.

All Data on what you looked at/added to cart is stored on the server.

Got everthing now?

[NickW]

jpf: What you say seems to be evident from my tests so far ie cookies are not mandatory inorder to allow the site to function. However I'm now a little confused by what is said in the Wiki documentation here: http://wiki.oscommerce.com/proposalSecurityAndPrivacy as they imply that cookies are required to allow the adding of products to the cart, logging on and creating an account, etc.

If 'Force Cookie Use' set to FALSE is the Sesion ID automatically added to the url?

On my test site with 'Force Cookie Use' set to FALSE the shopping cart and ordering process seemed to work ok but I didn't notice any Session ID's being appended to the url's, but this is without SSL at the moment. I've now set 'Force Cookie Use' to TRUE and even though my browser (IE6) privacy settings (in Tools | Internet Options | Privacy) are set to Medium (and also the domain is specified to be 'allowed') when I now try to make a dummy purchase I get directed to the cookie usage page.

[NickW]

With 'Force Cookie Use' set to FALSE I do see the Session ID's being appended to the url

[jpf]

Yes that is the correct process. The cart has to SOME how keep track of users-it is much easier for the cleint to keep track of "his" session number than the other way around. IP tracking/sessions on the server does not work - as a large corporation may have 100+user and when any one or more from that corporation "visits" a site the IP my be reported as the SAME - even though there are 2 or more uses on the same website. (IE causes problems with WebSearch sites Spiders that may use muliple session to index your site - unless you force NO SIDS for spiders-like OSC does)

The SID -or Session IDdentification - tells the cart which person/instance is adding thing to cart - the CART and user infomation is totally save in MySQL. If SID does not "match" (between the client/server) then a new session and SID is issued. Client has to save the SID some where - cookies just make the URL look a bit better, where as the other option is NOT to use cookies and then the URL gets a SID appended to it.

Cookies as a default only have a lifetime of untill the bowser (all windows) are closed. URL SID last longer (don't know how long off the top of my head) BUT you have to keep track of the WHOLE URL.