3

The EU General Data Protection Regulation (GDPR) will come into effect from 25th May 2018. One can read in detail here. This time it has to be all opt-in and they have very heavy fine (€20 million or 4% of global earning!).

Since, it has to be all opt-in(at least in our case), we have decided user accepts our cookies to receive our services.

We will not be logging out current users to give us concept, however, we will present them consent page when they come into one of our sites. If they say yes then we will save an "accept-cookie" or else they won't be able to come into our sites. Afterwards, whenever a use logs into our site, we check the existence of this cookie.

My idea in implementing this solution is to intercept the user request and check the existence of accept-cookie and redirect to the requested resource or controller in our case as we will asp.net mvc accordingly.

My question is can I do this using RegisterRoutes to route request to a controller and if yes, redirect to the requested controller?

What about this solution? Though, the solution is for different aspect. I have modified the variables name from language to consent to make it more meaningful(not trying to copy):

public class EnsureLanguagePreferenceAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
    var euCookie = filterContext.HttpContext.Request.Cookies["ConsentCookies"];
    if (euCookie == null)
    {
        // cookie doesn't exist, redirect use to a View showing
       //all the cookies being saved in client machine
      // and to take user consent(accept or deny)

    }
    // do something with euCookie
    base.OnActionExecuting(filterContext);
   }
}

As this rule comes into effect on 25th May 2018, it would be nice to hear your idea regarding different kind of implementation.

curious.netter
  • 774
  • 10
  • 16
  • Would you please downvote with a reason? I will be more than happy to take this question down. – curious.netter May 04 '18 at 14:15
  • 1
    Not the downvoter (although I considered it). Your question is very broad and is much more about the legality of doing this than a technical problem. You should consult a lawyer to see if this approach is legally acceptable (if not, there's no point in implementing it). – xxbbcc May 04 '18 at 14:28
  • @xxbbcc: I agree it's broad but this is also a technical problem, i.e. give user a choice, either to accept cookies or block them from using our service. The challenge is, the same solution should be used across all our application. – curious.netter May 04 '18 at 14:31
  • It's still a legal issue - is it valid to store such agreement in a volatile cookie? You should consult a lawyer first to get your requirements before you can solve the problem. – xxbbcc May 04 '18 at 14:53
  • I think I did not write clearly, we are just going to add an 'acceptCookie' which is just for the purpose of checking if a use has given us consent. This cookie will have no other purpose other than letting us know the use has given us consent. We are not allowed to use any cookies that tracks user. – curious.netter May 04 '18 at 14:57
  • This has nothing to do with javascript. Please don't add invalid tags just to get attention. – gforce301 May 04 '18 at 15:01
  • gforce301: removed (ok you did that), thanks for pointing out. Actually, there is also a solution in javascript which might fit someone's need, see here https://cookieconsent.insites.com/documentation/javascript-api/ – curious.netter May 04 '18 at 15:12

1 Answers1

2

Finally, I came up with something that I wanted--intercepting user request and redirecting based upon a certain cookie. This can be used as a nuget as we have multiple applications and saving cookies could be done from one of the application. As it is made as an action filter attribute, it can be place above controller:

[MyAcceptCookieCheck]
public class HomeController : Controller

This makes it easy to implement across all application and operations regarding saving cookies will be done from the one of the application so that it will be easy to make any changes i.e., only from one place.

public class MyAcceptCookieCheck : ActionFilterAttribute
{       
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var cookies = filterContext.HttpContext.Request.Cookies["OurAcceptCookie"];
        var values = filterContext.RouteData.Values.Values;
        originalRequest =  filterContext.HttpContext.Request.Url.AbsoluteUri;
        RouteValueDictionary requestOrigin = new RouteValueDictionary { { 
        "url", originalRequest } };
        if (cookies == null && !values.Contains("CookieConsent")) //so that it won't loop endlessly
        {                
            UrlHelper urlHelper = new UrlHelper(filterContext.RequestContext);
            //filterContext.Result = new RedirectResult(urlHelper.Action("CookieConsent", "Home"));
            filterContext.Result = new RedirectResult(urlHelper.Action("CookieConsent","Cookie",requestOrigin ,"https","www.my-domain.com/mysitename"));
        }
        else if(cookies != null)
        {
            string controllerName =  filterContext.RouteData.Values["controller"].ToString();
            string actionName = filterContext.RouteData.Values["action"].ToString();               
            UrlHelper urlHelper = new UrlHelper(filterContext.RequestContext);
            filterContext.Result = new RedirectResult(urlHelper.AbsolutePath(actionName, controllerName));
        }
    }
}

Code for AbsolutePath (courtesy):

 public static string AbsolutePath(this UrlHelper url, string actionName, string controllerName, object routeValues = null)
 {
     string scheme = url.RequestContext.HttpContext.Request.Url.Scheme;
     return url.Action(actionName, controllerName, routeValues, scheme);
 }

Now, I can redirect all requests without having that particular cookie to a cookie consent page and show user all the details about cookies being used and ask for permission to save "ConsentCookie".

curious.netter
  • 774
  • 10
  • 16