I’m setting up a discourse forum in a very privacy-aware environment. The current snag I’m running into is the persistent sessions
setting, i.e. “remember me” for login. As far as I can tell the GDPR requires a user to give explicit consent for storing functionality/preference cookies, which includes persistent sessions (as the cookie used to handle a persistent session, or actually its lifetime beyond the browser session, is not strictly necessary).
The leads to two very unattractive choices:
-
Disable
persistent sessions
, forcing every user either to log in every time they visit the forum, or to suggest/force them to use browser-based credential storage if they want to avoid logging in manually every time. However, since we will be using SSO for forum access, and there are many different services accessed through that SSO login having users store SSO credentials just for accessing the forum is not good policy. It might do more harm than good. -
Enable
persistent sessions
. But here I don’t see a feasible method for having a cookie banner integrated in Discourse that handles a per-user configuration value of the persistent sessions flag. The latter is crucial as consent needs to be given by the user, including being able to retract that consent, which requires some form of cookie banner/management solution.
I’m active on a number of Discourse forums that have persistent sessions
enabled but don’t provide a cookie consent option (which includes this meta forum). And it seems to me they are operating in violation of the GDPR?
Am I wrong in the above reading (as I’m not a lawyer)? And are there really no good solutions available that integrate a cookie consent banner in Discourse that allows configuring a per-user persistent cookie setting?
Edit: I did read Cookie Consent, GDPR, and Discourse, and posts like Session Timeout - #56 by sam before posting, but they don’t really come to the crux on persistent sessions