Cookie purposes

PatRobCoy

PatRobCoy

New member
Hey guys

I have a question about cookies and hope you can help me. I live in Germany and am currently implementing all measures to create my forum privacy policy. Cookies naturally play an important role here. My cookie tool (Cookiebot) shows me which cookies are on the site. Among other things, five Xenforo cookies are displayed. According to the GDPR, it is mandatory to explain the purpose of these cookies. Unfortunately I can't find an explanation. It concerns the following cookies:

xf_crossTab
xf_cacheKey
xf_visitorCounts

I can find explanations for the cookies xf_csrf & xf_session.

In addition, the prefabricated cookie information also mentions xf_user. This cookie is not shown to me as active by my Cookiebot. Is that correct? Or is this cookie active by default? Maybe you have a hint for me.

I am very much looking forward to your answer.
Many greetings from Nuremberg.
Patrick
 
PatRobCoy said:
It concerns the following cookies:

xf_crossTab
xf_cacheKey
xf_visitorCounts
Click to expand...
These aren't cookies. They are local storage. These are only stored on the client and not sent to and from the server in every request like cookies are.

PatRobCoy said:
This cookie is not shown to me as active by my Cookiebot. Is that correct? Or is this cookie active by default? Maybe you have a hint for me.
Click to expand...
That's a standard cookie and it keeps you logged in. If you're logged in, you should see it.

An explanation of the main cookies are explained in the default cookie help page:
xenforo.com

Cookie usage

This page explains how this site uses cookies.
xenforo.com xenforo.com
 
Chris D said:
These aren't cookies. They are local storage. These are only stored on the client and not sent to and from the server in every request like cookies are.


That's a standard cookie and it keeps you logged in. If you're logged in, you should see it.

An explanation of the main cookies are explained in the default cookie help page:
xenforo.com

Cookie usage

This page explains how this site uses cookies.
xenforo.com xenforo.com
Click to expand...
Thank you for your feedback Chris. Unfortunately, Cookiebot (my consent tool) displays these three "cookies" as "cookies". If I now define this as "necessary" and thus do not give the user the opportunity to deactivate it, I have to be able to explain the purpose. Don't you have a brief explanation here? Similar to the others?
 

Attachments

  • Bildschirmfoto 2020-10-15 um 10.20.40.webp
    Bildschirmfoto 2020-10-15 um 10.20.40.webp
    83.5 KB · Views: 41
There's no issue in telling you what they're for, but they are not cookies. The tool is wrong. I've seen a few threads from them and they insist on conflating local storage with cookies which, in my opinion, is fundamentally incorrect.

There are some fundamental differences between local storage and cookies. Are they unaware of the difference? Technically incapable of distinguishing them? I'd honestly recommend using a different tool just on that basis to be honest.

__crossTab is to enable cross-tab communication of the favicon state and alert counts. It means that when the visitor counts update, it can communicate with the other tabs in order to tell them that the counts have updated. Notice the (1) in the tab title disappears when the alert I have has been marked as seen.
View attachment Screen Recording 2020-10-15 at 09.33.48.mov

cacheKey is a unique key to facilitate caching within the PWA functionality we added in XF 2.2. This is not currently used but it would allow commonly accessed resources to be cached in order to allow some access to the site when it is unavailable.

visitorCounts the aforementioned "visitor counts" are kept in local storage. They indicate how many unviewed/unread alerts there are, how many unread conversations there are and the time it was last updated. Every time a request is performed, the data is updated and it is used to update the red counts above inbox / alerts in the header.

JSON: 
{
    alerts_unviewed: "0"
    conversations_unread: "0"
    time: 1602599936
    total_unread: "0"
}
 
Last edited:
This got me interested in updating my policy to give clear explanations.

Using Firefox Storage Inspector these are cookies listed for my site:


Screenshot 2020-10-15 at 09.42.27.webp
 
Chris D said:
There's no issue in telling you what they're for, but they are not cookies. The tool is wrong. I've seen a few threads from them and they insist on conflating local storage with cookies which, in my opinion, is fundamentally incorrect.

There are some fundamental differences between local storage and cookies. Are they unaware of the difference? Technically incapable of distinguishing them? I'd honestly recommend using a different tool just on that basis to be honest.

__crossTab is to enable cross-tab communication of the favicon state and alert counts. It means that when the visitor counts update, it can communicate with the other tabs in order to tell them that the counts have updated. Notice the (1) in the tab title disappears when the alert I have has been marked as seen.
View attachment 237584

cacheKey is a unique key to facilitate caching within the PWA functionality we added in XF 2.2. This is not currently used but it would allow commonly accessed resources to be cached in order to allow some access to the site when it is unavailable.

visitorCounts the aforementioned "visitor counts" are kept in local storage. They indicate how many unviewed/unread alerts there are, how many unread conversations there are and the time it was last updated. Every time a request is performed, the data is updated and it is used to update the red counts above inbox / alerts in the header.

JSON: 
{
    alerts_unviewed: "0"
    conversations_unread: "0"
    time: 1602599936
    total_unread: "0"
}
Click to expand...
Hey chris Please do not get this wrong. I also don't like the fact that I have to deal with this annoying theme at all. No offense. I don't care which tool I use. The main thing is that it has a detailed opt-in function. If Cookiebot shows cookies that are not cookies at all, then of course that's completely stupid. Can you recommend a tool that works better?
 
Oh, no, none taken at all. It just strikes me as totally bizarre. You'll find threads on their forum from people asking specifically about local storage and throughout their entire response they'll still refer to them as "cookies". It doesn't make sense to me.

I don't have any recommendations nor do I know whether it's standard for these things to treat all types of browser storage as cookies.

It's not the end of the world. If the tool works for you and you've already got so far setting it up then no issue to continue using it. Just irks me that they're conflating two very different types of storage.
 
Mr Lucky said:
This got me interested in updating my policy to give clear explanations.

Using Firefox Storage Inspector these are cookies listed for my site:


View attachment 237585
Click to expand...
PatRobCoy said:
Hey Lucky, oh man :) these "cookies" (if there are any) are again not displayed to me with Cookiebot. That doesn't make it any easier now :)
Click to expand...
Some of them may be optional.

emoji_usage stores your most recently used emoji if you use the emoji popup in the editor.

notice_dismiss keeps track of the notices you have dismissed on the site so that the ones you have missed are not shown again.

push_notice_dismiss tracks your dismissal of the "XenForo community would like your permission to enable push notifications." notice.

sam_ad_views this isn't set by us and is presumably from an add-on.

tfa_trust is if you have set up "Two-step verification" and have opted to "trust" this device. This is to stop you from being asked to repeat two-step verification every time you log in.
 
Chris D said:
Oh, no, none taken at all. It just strikes me as totally bizarre. You'll find threads on their forum from people asking specifically about local storage and throughout their entire response they'll still refer to them as "cookies". It doesn't make sense to me.

I don't have any recommendations nor do I know whether it's standard for these things to treat all types of browser storage as cookies.

It's not the end of the world. If the tool works for you and you've already got so far setting it up then no issue to continue using it. Just irks me that they're conflating two very different types of storage.
Click to expand...
Ok :) Thank you for the individual explanations. I will now simply insert this and with that I should be able to satisfy everyone. Personally, I believe that you probably can't even be 100% GDPR compliant. If someone wants, he'll find a mistake.
 
Chris D said:
Some of them may be optional.

emoji_usage stores your most recently used emoji if you use the emoji popup in the editor.

notice_dismiss keeps track of the notices you have dismissed on the site so that the ones you have missed are not shown again.

push_notice_dismiss tracks your dismissal of the "XenForo community would like your permission to enable push notifications." notice.

sam_ad_views this isn't set by us and is presumably from an add-on.

tfa_trust is if you have set up "Two-step verification" and have opted to "turst" this device. This is to stop you from being asked to repeat two-step verification every time you log in.
Click to expand...
Sorry, yes I forgot to mention sam_ad_views is Siropu Ads manager
 
@Chris D : is there a cookie / local storage that ensures that multi-quotes are preserved when switching to a next page of a thread?

At the moment I have the problem that multi-quotes I made for example on page 1 in the thread are no longer present on page 2 when I want to insert them. I suspect my cookie consent tool is deleting something, I just can't find what ....
 
Works! Thanks!

Is there perhaps a complete listing of cookie and local storage elements that are used?

Currently I have this list:

1617713983216.webp
 
Last edited:
Chris D said:
I don't have any recommendations nor do I know whether it's standard for these things to treat all types of browser storage as cookies.
Click to expand...
I'd say most of them do treat cookies and other (Session/Local)Storage technologies the same and call them "Cookies".

That obviously is technically wrong, but quite frankly - neither the law nor the user does care which technology is used to store smth. on the user device (that can be used to track the user).

So from a legal perspective it absolutely does make sense to treat this equally.

The above list is (at least) missing

Cookies
  • xf_ls (used as fallback if LocalStorage is not available)
  • xf_session_admin (backend only)
  • xf_edit_language_id (backend only)
  • xf_edit_style_id (backend only)
  • xf_style_id (frontend, used to store selected style for guests)
  • xf_language_id (frontend, used to store selected language for guests)
  • xf_from_search (used to track the search engine a user came from)
  • xf_inlinemod_post
  • xf_inlinemod_profilepost
  • xf_inlinemod_thread
  • xf_inlinemod_xfmg_media (only w/XenForo Media Gallery)
  • xf_inlinemod_xfmg_album (only w/XenForo Media Gallery)
  • xf_inlinemod_xfmg_comment (only w/XenForo Media Gallery)
LocalStorage
  • fr-copied-text
  • fr-copien-html
  • xf_multiQuoteSelection
  • xf_multiQuoteThread
  • xf_editorDisabled
  • xf_push_history_user_ids
  • xf_guestUsername
  • xf_lbSidebarDisabled
 
Last edited:
Kirby said:
The above list is (at least) missing
Click to expand...

Also missing (both local storage):
  • xf_multiQuoteConversation
  • xf_multiQuoteMediaItem (only if XFMG is installed)
Questions:
  • I could not find xf_cacheKey on my machine. What is it used for / when is it set?
  • I also do not get a xf_from_search cookie, when I visit the forum from Google. Reason?
  • After how many days/weeks/months/years will xf_tfa_trust expire? On my machine it is set till the year 2072. 😲
 
You must log in or register to reply here.

Similar threads

⭐ Alex ⭐
Why exactly do we need a cookie notice for third party cookies?
Replies
1
Views
504
⭐ Alex ⭐
⭐ Alex ⭐
Top Bottom