[Koha-bugs] [Bug 40713] New: cookieConsent: key should have an expiration date

Wed, 27 Aug 2025 05:23:12 -0700 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40713

            Bug ID: 40713
           Summary: cookieConsent: key should have an expiration date
 Change sponsored?: ---
           Product: Koha
           Version: Main
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: OPAC
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]

Currently, the created localStorage key cookieConsent does not expire. This
needs adjustment in view of following information:

"The GDPR does not specify a fixed time limit for cookie expiry; instead, the
duration must be proportionate to the cookie's purpose and never exceed 12
months according to the ePrivacy Directive, which requires consent renewal at
least annually, and potentially more frequently based on your local Data
Protection Authority's (DPA) guidelines, like the six-month recommendations
from the Irish DPC and French CNIL." -- See e.g. https://gdpr.eu/cookies/

"If you use a cookie to store a record that a user has given consent to the use
of cookies, you should ask the user to reaffirm their consent no longer than
six months [*] after you have stored this consent state. (Footnote: While the
legislation does not prescribe a specific lifespan for such cookies, based on a
first-principles analysis by the DPC, we consider this to be the appropriate
default outer timeframe for storing the user’s consent state. A controller
would need to objectively and on a case-by-case basis justify storage for a
longer period.)" -- Data Protection Commission [Ireland]


Since localStorage has no expiration mechanism itself, we could simply add e.g.
a unix timestamp as value here. Since the key now contains empty string and is
tested for null to check status. This check would become: does the key exist
and is its value still in future? A reject removes the key or clears it.

Would it be possible to add the expiry period to a preference or enclosed in
CookieConsentedJS somehow?

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to