Is a PHP Session acceptable with the new UK cookie law?

Question 1

I am just looking for some advice on the new UK Cookie Law and how it affects PHP sessions. I understand that you do not need the users to opt in when a cookie is "strictly necessary" and the example given is adding an item to a shopping cart.

I am using similar functionality that remembers what you have stored in a contact form, which I feel is strictly necessary use of a session and therefore no opt in is required.

However the confusion for me arises because I have a session_start(); at the top of each page, which means the cookie is set straight away. Some users will not then go to use the contact form, so this means that the cookie is not strictly necessary for them.

I could remove session_start(); from the top of each page, but this functionality is used throughout a number of websites and it would be preferable if we could leave it in.

Could anyone shed any more light on this?

Question 2

The simple answer is that you're probably going to be okay, the extent to which this law will even be enforced is massively up for debate anyway.

We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action.

There is a balance to be struck though, as not all cookies are equal, and our enforcement approach will bear this in mind.

For example, someone may complain about a cookie placed without their consent, but if it was just used to remember essential details rather than to gather information to be used for marketing purposes, then it may not be appropriate to act.

(Source: The ICO's Dave Evans on EU cookie law compliance)

Question 3

I would use isset and empty:

session_start();
if(isset($_SESSION['blah']) && !empty($_SESSION['blah'])) {
   echo 'Set and not empty, and no undefined index error!';
}

array_key_exists is a nice alternative to using isset to check for keys:

session_start();
if(array_key_exists('blah',$_SESSION) && !empty($_SESSION['blah'])) {
    echo 'Set and not empty, and no undefined index error!';
}

Make sure you're calling session_start before reading from or writing to the session array.

Question 4

you can unset cookies this way only may -1 not work

try this

setcookie ("user", "", time() - 3600);

Question 5

Hey I've had a go at this I can't test it as I dont have the additional files and cart object but it should be close to error free

I've got a Session variable 'cart' if present we grab it unserialize and were done then can edit the values and save it back out so on

If not present i.e. first hit or cart was deleted we build a new cart from the database (This isnt ideal just for testing as presently your adding every item from the database to the cart?)

If the post or get value of adjQ is present we modify some of the values of the cart object and save it back out to the session variable

If the post or get value of showCart is present we output the current cart To make this work you might have to tweak your Shopping_Cart Object to support the variables being called and the getCount function and the getAllRows function

I've removed the additional storage of an array of the items from the cart (w) not sure what thats for since you have the data stored in the object dont need to replicate it

All the request variables should be sanitized to prevent injection attacks n so on

I've added a hidden field to trigger the showCart request

Anyway hope this helps

<?php
    session_start();
?>
<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Testing the Shopping Cart</title>
    </head>
    <body>
<?php # cart.php
// This script uses the ShoppingCart and Item classes.
//error_reporting(0);

    // Create the cart:
    require('ShoppingCart.php');
    require('userMenu.php');

    $rowCount = 0;

    if(isset($_SESSION['cart']))
    {
        echo "We have a stored cart in a Session variable, retrieving data ...";

        $cart = unserialize($_SESSION["cart"]);

        $rowCount = $cart->getCount();
    }
    else
    {
        $cart = new ShoppingCart();

        // Create some items:
        require('Item.php');
        require ('Connect.php');

        $conn=Connect::doConnect();

        $query = "SELECT product_id, product_name, product_price from product";
        $result = mysqli_query($conn, $query);

        $rowCount = $result->num_rows;

        if ($result->num_rows > 0) {
            // output data of each row
            while($row = $result->fetch_assoc()) {
                $cart->addItem(new Item($row["product_id"], $row["product_name"],$row["product_price"]));
            }
        }
        $conn->close();
    }

    if(isset($_REQUEST['adjQ']))
    {
        echo "In stoc avem ".$rowCount." tipuri de produse";

        // Update some quantities:
        $cart_items_new = array_combine($_POST['item_adjust'], $_POST['quantity']);
        foreach ($cart_items_new as $product_id=>$quantity) {
            if($quantity > 0) {
                $cart->updateItem($product_id, $quantity);

                $conn=Connect::doConnect();

                $query1 = "SELECT product_id, product_name, product_price from product where product_id='$product_id'";
                $result1 = mysqli_query($conn, $query1);

                $row1 = mysqli_fetch_array($result1);
                echo $product_id." ".$quantity." + ".$row1["product_name"];
            }
            else {
                $cart->deleteItem($product_id);
            }
        }

        // Show the cart contents:
        echo '<h2>Continutul cosului de cumparaturi (' . $rowCount . ' tipuri de produse)</h2>
        The user is ' . $_SESSION["user"] . '.<br>
        User type is ' . $_SESSION["user_type"] . '.';

        if (!$cart->isEmpty()) {
            foreach ($cart as $arr) {
                // Get the item object:
                $item = $arr['item'];
                // Print the item:
                printf('<p><strong>%s</strong>: %d @ $%0.2f bucata.<p>', $arr['item']->getName(), $arr['item']->getQuantity(), $arr['item']->getPrice());
            } // End of foreach loop!

            echo "Saving card to Session variable";
            //New_cart is only set in adjQ request prehaps this code should be there?
            $_SESSION["cart"] = serialize($cart);
        } // End of IF.
    }

    if(isset($_REQUEST['showCart']))
    {
        if ($cart->getCount() > 0) {
            // output data of each row
            echo '<table border='."1".'><form action="cart.php" method="post">';
            echo '<tr><td><b>'."Id produs".'</td><td><b>'."Denumire".'</td><td><b>'."Pret".'</td><td>'."Numar de bucati solicitate".'</td></tr>';
            foreach ($cart->getAllRows() as $row) {
                echo '
                    <tr>
                        <td>'. $row->getProductId() . '</td>
                        <td>'. $row->getName() . '</td>
                        <td>'. $row->getPrice() . '</td>
                        <td><input type="input" value="0" name="quantity[]"><input type="hidden" value="' . $row->getProductId() . '" name="item_adjust[]"/><input type="hidden" value="showCart" name="showCart"/></td>
                    </tr>';
            }
            echo '<tr><td colspan="3"><input type="submit" value="Adauga in cosul de cumparaturi" name="adjQ"></td></tr></table>';
        } else {
            echo "Cart is empty";
        }

    }
?>
</body>
</html>

Question 6

A cookie has a lifetime, after which it will expire (As denoted by the Expires directive). If you don't set a timeout, the browser will expire the cookie when you close the browser. This is called a session cookie.

These kind of cookies are often used to track a users current session state on the server side (E.g. php's sessions), but there is not a strong relation between the two uses of the word "session"

Is a PHP Session acceptable with the new UK cookie law?

Answers

php,cookies,session-cookies