Cookie purposes

PatRobCoy

New member
Hey guys

I have a question about cookies and hope you can help me. I live in Germany and am currently implementing all measures to create my forum privacy policy. Cookies naturally play an important role here. My cookie tool (Cookiebot) shows me which cookies are on the site. Among other things, five Xenforo cookies are displayed. According to the GDPR, it is mandatory to explain the purpose of these cookies. Unfortunately I can't find an explanation. It concerns the following cookies:

xf_crossTab
xf_cacheKey
xf_visitorCounts

I can find explanations for the cookies xf_csrf & xf_session.

In addition, the prefabricated cookie information also mentions xf_user. This cookie is not shown to me as active by my Cookiebot. Is that correct? Or is this cookie active by default? Maybe you have a hint for me.

I am very much looking forward to your answer.
Many greetings from Nuremberg.
Patrick
 

Chris D

XenForo developer
Staff member
It concerns the following cookies:

xf_crossTab
xf_cacheKey
xf_visitorCounts
These aren't cookies. They are local storage. These are only stored on the client and not sent to and from the server in every request like cookies are.

This cookie is not shown to me as active by my Cookiebot. Is that correct? Or is this cookie active by default? Maybe you have a hint for me.
That's a standard cookie and it keeps you logged in. If you're logged in, you should see it.

An explanation of the main cookies are explained in the default cookie help page:
 

PatRobCoy

New member
These aren't cookies. They are local storage. These are only stored on the client and not sent to and from the server in every request like cookies are.


That's a standard cookie and it keeps you logged in. If you're logged in, you should see it.

An explanation of the main cookies are explained in the default cookie help page:
Thank you for your feedback Chris. Unfortunately, Cookiebot (my consent tool) displays these three "cookies" as "cookies". If I now define this as "necessary" and thus do not give the user the opportunity to deactivate it, I have to be able to explain the purpose. Don't you have a brief explanation here? Similar to the others?
 

Attachments

  • Bildschirmfoto 2020-10-15 um 10.20.40.png
    Bildschirmfoto 2020-10-15 um 10.20.40.png
    587.8 KB · Views: 6

Chris D

XenForo developer
Staff member
There's no issue in telling you what they're for, but they are not cookies. The tool is wrong. I've seen a few threads from them and they insist on conflating local storage with cookies which, in my opinion, is fundamentally incorrect.

There are some fundamental differences between local storage and cookies. Are they unaware of the difference? Technically incapable of distinguishing them? I'd honestly recommend using a different tool just on that basis to be honest.

__crossTab is to enable cross-tab communication of the favicon state and alert counts. It means that when the visitor counts update, it can communicate with the other tabs in order to tell them that the counts have updated. Notice the (1) in the tab title disappears when the alert I have has been marked as seen.
View attachment Screen Recording 2020-10-15 at 09.33.48.mov

cacheKey is a unique key to facilitate caching within the PWA functionality we added in XF 2.2. This is not currently used but it would allow commonly accessed resources to be cached in order to allow some access to the site when it is unavailable.

visitorCounts the aforementioned "visitor counts" are kept in local storage. They indicate how many unviewed/unread alerts there are, how many unread conversations there are and the time it was last updated. Every time a request is performed, the data is updated and it is used to update the red counts above inbox / alerts in the header.

JSON:
{
    alerts_unviewed: "0"
    conversations_unread: "0"
    time: 1602599936
    total_unread: "0"
}
 
Last edited:

Mr Lucky

Well-known member
This got me interested in updating my policy to give clear explanations.

Using Firefox Storage Inspector these are cookies listed for my site:


Screenshot 2020-10-15 at 09.42.27.png
 

PatRobCoy

New member
There's no issue in telling you what they're for, but they are not cookies. The tool is wrong. I've seen a few threads from them and they insist on conflating local storage with cookies which, in my opinion, is fundamentally incorrect.

There are some fundamental differences between local storage and cookies. Are they unaware of the difference? Technically incapable of distinguishing them? I'd honestly recommend using a different tool just on that basis to be honest.

__crossTab is to enable cross-tab communication of the favicon state and alert counts. It means that when the visitor counts update, it can communicate with the other tabs in order to tell them that the counts have updated. Notice the (1) in the tab title disappears when the alert I have has been marked as seen.
View attachment 237584

cacheKey is a unique key to facilitate caching within the PWA functionality we added in XF 2.2. This is not currently used but it would allow commonly accessed resources to be cached in order to allow some access to the site when it is unavailable.

visitorCounts the aforementioned "visitor counts" are kept in local storage. They indicate how many unviewed/unread alerts there are, how many unread conversations there are and the time it was last updated. Every time a request is performed, the data is updated and it is used to update the red counts above inbox / alerts in the header.

JSON:
{
    alerts_unviewed: "0"
    conversations_unread: "0"
    time: 1602599936
    total_unread: "0"
}
Hey chris Please do not get this wrong. I also don't like the fact that I have to deal with this annoying theme at all. No offense. I don't care which tool I use. The main thing is that it has a detailed opt-in function. If Cookiebot shows cookies that are not cookies at all, then of course that's completely stupid. Can you recommend a tool that works better?
 

Chris D

XenForo developer
Staff member
Oh, no, none taken at all. It just strikes me as totally bizarre. You'll find threads on their forum from people asking specifically about local storage and throughout their entire response they'll still refer to them as "cookies". It doesn't make sense to me.

I don't have any recommendations nor do I know whether it's standard for these things to treat all types of browser storage as cookies.

It's not the end of the world. If the tool works for you and you've already got so far setting it up then no issue to continue using it. Just irks me that they're conflating two very different types of storage.
 

Chris D

XenForo developer
Staff member
This got me interested in updating my policy to give clear explanations.

Using Firefox Storage Inspector these are cookies listed for my site:


View attachment 237585
Hey Lucky, oh man :) these "cookies" (if there are any) are again not displayed to me with Cookiebot. That doesn't make it any easier now :)
Some of them may be optional.

emoji_usage stores your most recently used emoji if you use the emoji popup in the editor.

notice_dismiss keeps track of the notices you have dismissed on the site so that the ones you have missed are not shown again.

push_notice_dismiss tracks your dismissal of the "XenForo community would like your permission to enable push notifications." notice.

sam_ad_views this isn't set by us and is presumably from an add-on.

tfa_trust is if you have set up "Two-step verification" and have opted to "trust" this device. This is to stop you from being asked to repeat two-step verification every time you log in.
 

PatRobCoy

New member
Oh, no, none taken at all. It just strikes me as totally bizarre. You'll find threads on their forum from people asking specifically about local storage and throughout their entire response they'll still refer to them as "cookies". It doesn't make sense to me.

I don't have any recommendations nor do I know whether it's standard for these things to treat all types of browser storage as cookies.

It's not the end of the world. If the tool works for you and you've already got so far setting it up then no issue to continue using it. Just irks me that they're conflating two very different types of storage.
Ok :) Thank you for the individual explanations. I will now simply insert this and with that I should be able to satisfy everyone. Personally, I believe that you probably can't even be 100% GDPR compliant. If someone wants, he'll find a mistake.
 

Mr Lucky

Well-known member
Some of them may be optional.

emoji_usage stores your most recently used emoji if you use the emoji popup in the editor.

notice_dismiss keeps track of the notices you have dismissed on the site so that the ones you have missed are not shown again.

push_notice_dismiss tracks your dismissal of the "XenForo community would like your permission to enable push notifications." notice.

sam_ad_views this isn't set by us and is presumably from an add-on.

tfa_trust is if you have set up "Two-step verification" and have opted to "turst" this device. This is to stop you from being asked to repeat two-step verification every time you log in.
Sorry, yes I forgot to mention sam_ad_views is Siropu Ads manager
 
Top