0

To comply with GDPR without an annoying cookie banner, I would like the public pages on my website to not store cookies. To facilitate the journey of registered users, I would like to use flash messages. The problem is that these two seem incompatible, as setting sessions:

const session = require('express-session');
// Initialize mongodb session storage to remember users.
const store = new MongoDBStore({
  uri: config.mongoUri,
  // The 'expires' option specifies how long after the last time this session was used should the session be deleted.
  // Effectively this logs out inactive users without really notifying the user. The next time they attempt to
  // perform an authenticated action they will get an error. This is currently set to 3 months (in milliseconds).
  expires: max_session_ms,
});


// Enable sessions using encrypted cookies
app.use(
  session({
    cookie: {
      // Specifies how long the user's browser should keep their cookie, probably should match session expiration.
      maxAge: max_session_ms,
      sameSite: "strict",
    },
    store: store,
    secret: config.secret,
    signed: true,
    resave: false,  // Unknown effect. See https://github.com/expressjs/session#resave
    saveUninitialized: false,  // Save only explicitly, e.g. when logging in.
    httpOnly: true,  // Don't let browser javascript access cookies.
    secure: config.secureCookies, // Only use cookies over https in production.
  })
);

and flash messages with:

const flash = require("express-flash");  // Disabled to avoid cookies.
app.use(flash());

stores a cookie in the browser with an empty flash message for public pages. I don't think server-side only flash messages exist (see Server-side only flash messages (no cookies) ). I tried setting res.locals but it gets erased between redirects.

Is it possible to store cookies only for visitors who agreed to the terms in the logged-in area of the website and not for visitors in general?

miguelmorin
  • 5,025
  • 4
  • 29
  • 64
  • 1
    Have a middleware which checks if an `accepted` param is present in the request? In other middleware respect this flag? . – Silvan Bregy Dec 05 '21 at 19:31
  • @Silvan Bregy That might suit some use cases. In mine, I only want to use flash requests in routes reserved for users who created an account and accepted terms. When I include the flash request package, I get cookies saved for public areas of the website, not just for pages of registered users. – miguelmorin Dec 05 '21 at 22:11

1 Answers1

1

3 remarks about your question :

  • requesting consent is not based on GDPR, it's requested by EU directive 2002/58/CE
  • this directive states explicitly that you don't need to request consent if you are storing a session on user's browser
  • storing a cookie or a flash is the same from EU directive's point of view, you can't avoid requesting consent in the case it's required by replacing cookies by anything that writes data in user's browser
  • if the rules are not clear for you, check the CNIL's page (French data authority protection) for example : https://www.cnil.fr/fr/nouvelles-regles-cookies-et-autres-traceurs-bilan-accompagnement-cnil-actions-a-venir

EDIT :

For everyone, to clarify when consent is needed, it's best you read the text of the directive directly it's very clear (article 5.3 directive ePrivacy 2002/58) :

  1. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information (...) about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
Tibo
  • 621
  • 1
  • 8
  • 24
  • So I could use two cookies, one to store sessions and flash messages on the user's browser without needing consent, and another with just a code to identify users who created an account and link them to my database. That makes sense, yes. I'm not sure how NodeJS would handle two separate sessions, though. – miguelmorin Dec 12 '21 at 20:09
  • 1
    When it comes to sessions management, you don't need express consent. You would need express consent for ads for example, or anything else like that. But sessions (cart sessions), or access sessions are out of scope in this case. Other casese are for language preferences, you can store lang cookie without asking consent. – Tibo Dec 14 '21 at 14:53
  • 1
    ah, so i understand your idea about flash messages (like popup messages if i get it right) : what are these messages about ? If they are about updates (ex : conversations between users) than they don't need consent. But if you send marketing messages (ex : subscribe to our newsletter) than consent is needed – Tibo Dec 14 '21 at 14:55
  • Very informative, thank you. I use flash messages for handling errors. Yes, it's similar to pop-ups and Javascript alerts, except that they appear after loading the next page. See for example this thread, where the user sees an error message after a failed login: https://stackoverflow.com/questions/15711127/express-passport-node-js-error-handling – miguelmorin Dec 15 '21 at 20:16