On 05/27/2011 08:18 AM, Hanne Moa wrote: > "From 26th May 2011 websites in the UK need to ask for permission > before they can set cookies not required for ‘essential’ means" > > http://blog.silktide.com/2011/05/cookie-law-makes-most-uk-websites-illegal-what-you-need-to-know/ > > What cookies in Django are "essential"? When not logged in I see that > the csrf-token cookie is set, and when logged in there's the > session-cookie. Should one strive only to use csrf-protection (and > thus the cookie) only when it is needed? Are there other cookies set > by contrib apps? Should there be something about this in the docs? > "<list> cookies is essential, you need need to get consent for these > other ones: <list>"
Django itself sets only these cookies: CSRF, language, contrib.sessions, and contrib.messages (if you're using one of the cookie-using backends). I am not a lawyer, and I haven't read the new EU guidelines in depth. Based on the description in the blog post you link, ISTM that CSRF and language cookies are likely defensible as "essential" to the user-requested service. I think the status of the session cookie (and probably the messages ones as well) are very much dependent on how they are used by the specific site in question. I'd be fine with a documentation patch listing more clearly what parts of Django may set cookies, to make it easier for Django users to comply with this ruling. I'd be opposed to any specific mention of this ruling in the patch, and certainly opposed to any attempt in the documentation to define which Django-set cookies are "essential" and which require user consent - legal advice related to particular legal jurisdictions is WAY out of scope for Django's documentation. Carl -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
