Don't use session for multilang because of EU regulations

Is it worth adding a feature request for a config option?

c::set('language.cookie', false) => No cookie for example

1 Like

I would appreciate a solution to get 100% cookie free and multi-lingual at the same time. :+1:

1 Like

I did my first PR on Kirby :smiley:
Hopefully I didn’t get this wrong…

I think it would probably make more sense to check if site is multi-lang first, and then check for that option?

Sounds right. Or maybe in the same if statement?
if($this->site()->multilang() && $language = $this->site()->language() && c::get('language.cookie'))

As I mentioned in the PR, it might be better to leave the cookie set as default with:
if($this->site()->multilang() && $language = $this->site()->language() && c::get('language.cookie', true))

The option should probably also be added to the defaults in kirby.php, then you would not need the default in your check, I guess.

Even better. Do we agree it should be left as true by default?

Yes, I think so (and some more characters).

This is now fixed on the dev branch.

1 Like

I just got a quick question that kinda fits here.

Is the session cookie really needed as soon as there is a login-form on the website?
Wouldn’t it be possible to only set the cookie as soon as the login form is used?

As far as I know, you don’t really have to nag your users for session cookies:

Cookies clearly exempt from consent according to the EU advisory body on data protection include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user’s input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

And after clicking on that link, open your JS Console and write document.cookie and look at that cookie the EU website just stored on your computer without asking. :wink:
(Mine contained information about my referer - clearly an information needed for no technical reason, but for tracking…)