Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Q about privacy

  • 07-07-2005 11:12am
    #1
    Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭


    I have a web app that stores an ID in a persistant cookie and uses it to look up address information to pre-fill a form for the user.

    All well and good.

    However, if the user is in a public place or shares their machine, in theory, another user could see their address information if they go to the same site. I either have to remove this functionality for everyone or ignore this potential privacy issue. Does anyone know the official line on this sort of thing. No cc information, etc is held, just an address and postcode (it's for England).


Comments

  • Moderators, Politics Moderators Posts: 41,229 Mod ✭✭✭✭Seth Brundle


    give them the "remember me" option when entering in data?
    If they choose remember me then it is stored in a cookie, if they don't tick it then they need to re-fill in form manually.
    Can you use server session variables rather than cookies?


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    sssh, kbannon, that's more work than I'm willing to do right now :D

    Yeah, will probably go the 'remember me' route, but need to find out the official line on this sort of data privacy. Project goes live on Monday, so development like this needs to be well founded before it can go ahead.

    Yeah, project goes live on Monday and *now* we notice things like this. :rolleyes:


  • Moderators, Politics Moderators Posts: 41,229 Mod ✭✭✭✭Seth Brundle


    LOL - I hear ya.
    is it necessary to use cookies?
    In terms of privacy, yes, I would believe that their (name? and) address shouldn't be left for others to find.
    What you could do is save it in a cookie when form #1 is used and then (assuming form #2 is to be completed in the same session) take it from the cookie and then when that is done clear the cookies contents.
    However, if form #2 is not to be completed in the same session then I would store all info in a DB.


  • Registered Users, Registered Users 2 Posts: 3,012 ✭✭✭BizzyC


    Yeah, I'd suggest storing it on the session, and setting the timeout for a short amount of time.
    You could use a logon filter to check the session for a set variable, once the session times-out, the variable is cleared, and you'd need to log in again.

    Also to protect yourselves you could simply add a log-out feature and out a disclaimer on the site telling people why the should always log out when finished.


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    Actually, there's no login/logout feature on the site. It just generates an ID then uses that throughout to reference the database tables. This ID is persistant. I need in other places, it's just this functionality of pre-populating forms that's causing me a little trouble.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 5,517 ✭✭✭axer


    corblimey wrote:
    Actually, there's no login/logout feature on the site. It just generates an ID then uses that throughout to reference the database tables. This ID is persistant. I need in other places, it's just this functionality of pre-populating forms that's causing me a little trouble.
    Session ID


  • Registered Users, Registered Users 2 Posts: 3,012 ✭✭✭BizzyC


    As axer pointed out, each session is given it's own individual ID. You could store all the data onto the session, and then set the timeout to whatever length of time you deem suitable. Once the session has been idle for that long, it's cleared, and the next person who comes along would get a new session.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Yeah Session ID sounds like the best way to go given the timescale.

    Put a terms/disclaimer in the form, making it very clear that they should hit a logout button (which destroys the session) and/or should close their browser when they're finished or other users may be able to see their personal details.

    Ideally you would move to upgrade the form to submit over https.


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    If I had any control whatsoever over business decisions like this (the system has been in use elsewhere for a while, and changing a persistent cookie to a session cookie will require meetings and conference calls and meetings and conference calls) I'd have already changed to a Session ID a long time ago.

    seamus, https? How would that make any difference?


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    corblimey wrote:
    seamus, https? How would that make any difference?
    You have people submitting personal details. I would move towards https. Maybe that's just me.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    Right, and that part of the site is on https, I just wasn't sure what the security had to do with reading data from a table and prefilling forms? Sorry if I'm being a bit thick here.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    corblimey wrote:
    Right, and that part of the site is on https, I just wasn't sure what the security had to do with reading data from a table and prefilling forms? Sorry if I'm being a bit thick here.
    I should stop thinking out loud :D


  • Registered Users, Registered Users 2 Posts: 4,475 ✭✭✭corblimey


    Oh thank God. I thought I'd missed a page in my "how to write the Internet" book :D


Advertisement