Add page noting the default cookies Apostrophe places

[abea]

Clients occasionally pop in with GDPR related questions about Apostrophe. I thought one brief and directed page could answer this and show proactivity from Apos on the issue.

From dev tools and some Googling I think this would be limited to:

• shortname.csrf for security purposes
• shortname.sid for login session tracking

[boutell]

I think that is correct. I'm not sure whether shortname.sid is set for logged-out users who haven't done anything that would cause their session to actually contain any information (nothing has been written to req.session).

On Wed, Aug 8, 2018 at 2:34 PM, Alex Bea notifications@github.com wrote:

Clients occasionally pop in with GDPR https://www.eugdpr.org/ related questions about Apostrophe. I thought one brief and directed page could answer this and show proactivity from Apos on the issue.

From dev tools and some Googling I think this would be limited to:

• shortname.csrf for security purposes https://stackoverflow.com/questions/20504846/why-is-it-common-to-put-csrf-prevention-tokens-in-cookies
• shortname.sid for login session tracking

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/apostrophecms/apostrophe-documentation/issues/109, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB9fZrUvwNfgJcd3dQDIiRXQNEegDV0ks5uOy8sgaJpZM4V0ckw .

--

THOMAS BOUTELL, CHIEF SOFTWARE ARCHITECT P'UNK AVENUE | (215) 755-1330 | punkave.com

[boutell]

This does mean that any client wanting to be GDPR compliant presumably does need to disclose something, even if just because of shortname.csrf.

On Wed, Aug 8, 2018 at 4:56 PM, Tom Boutell tom@punkave.com wrote:

I think that is correct. I'm not sure whether shortname.sid is set for logged-out users who haven't done anything that would cause their session to actually contain any information (nothing has been written to req.session).

On Wed, Aug 8, 2018 at 2:34 PM, Alex Bea notifications@github.com wrote:

Clients occasionally pop in with GDPR https://www.eugdpr.org/ related questions about Apostrophe. I thought one brief and directed page could answer this and show proactivity from Apos on the issue.

From dev tools and some Googling I think this would be limited to:

• shortname.csrf for security purposes https://stackoverflow.com/questions/20504846/why-is-it-common-to-put-csrf-prevention-tokens-in-cookies
• shortname.sid for login session tracking

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/apostrophecms/apostrophe-documentation/issues/109, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB9fZrUvwNfgJcd3dQDIiRXQNEegDV0ks5uOy8sgaJpZM4V0ckw .

--

THOMAS BOUTELL, CHIEF SOFTWARE ARCHITECT P'UNK AVENUE | (215) 755-1330 | punkave.com

--

THOMAS BOUTELL, CHIEF SOFTWARE ARCHITECT P'UNK AVENUE | (215) 755-1330 | punkave.com

[abea]

Right. Most sites will have to anyway for Google Analytics.

I did a quick test clearing cookies and I do think I get the sid cookie even as an anon.

[sergiodop92]

I am having also troubles related to this. I am trying to disclose the info stored in cookies, but I do not get to see what is in .sid for anon users. I know that it is created unless apostrophe-express is properly configure with the disableAnonSession set to true. But if I do that, apostrophe-workflow stops remembering the language of a user from one visit to another. So I think I would opt to let it on.

So, how can we know what is stored in the cookie exactly? Thanks in advance.

[boutell]

The sid cookie contains the session identifier for express sessions, which in turn are used to retain information server side in a database or other session store, so we don't have to store a large cookie or put sensitive information in it.

The cookie goes away for anons if disableAnonSession is true.

You are losing the language because you did not fully configure either URL prefixes or hostnames or a mix of both sufficient to clearly indicate the locale before enabling disableAnonSession. You must do that before using the feature.

[sergiodop92]

And does apostrophe store any personal info in the session in the database? If no personal info is stored there is no problem for me having the "drawback" of needing to store a session and the truly random csrf.

I already opened a case in the apostrophe-workflow repo about my problem with the language, so we can discuss it further there :).