Privacy policy: Cookies

Your web browser must support cookies to use this site. Cookies are a way of storing information on your computer about a previous page you viewed. Cookies allow the applications that comprise this web site to recognise your web browser when it requests a page as the same, or as a different web browser, from one that fetched a page a moment ago.

This site is built using Ruby On Rails applications. These applications all store a session cookie to maintain state across page fetches; these cookies do not store personal information unless you explicitly log in to the site. Session cookies store only a session ID, which is used by the RISC OS Open web site’s server to access data stored only on that server. Consequently, they are relatively secure, containing in themselves no useful information to the outside world, personal or otherwise.

Session cookie details

For reference, the names of the session cookies set for the RISC OS Open Web site Rails application session management are: _canvass_session, _hub_session, _instikiapp_session_id, _radiantapp_session_id, beastapp_session_id, collaboaapp_session_id, gulleryapp_session_id and typoapp_session_id. To clear the cookies, use your web browser’s cookie management interface or contact your web browser supplier for more information.

Other cookies are:

• typoapp_is_admin, typoapp_url and typoapp_email - the first is only used for administrative users and is a low security record of administrative privileges used only for user interface purposes (the application back-end tracks privileges independently to enforce full security should someone try to hack the cookie). The other two cookies are set if you comment on an article and decide to set a personal Home page address or e-mail address. The information is recorded in a cookie so that next time you want to add a comment, the relevant form fields can be filled in automatically. To clear the information, delete the cookies using your web browser’s cookie management interface (if it has one) or submit a new comment to any news post, making sure that you delete the URL and/or e-mail address in the comment form first.

• The Radiant application uses cookie expanded_rows for administrative users when editing pages. This does not apply to normal site visitors (the cookie is used to record viewing preferences on a list of pages in the page editor).

• The Hub single sign-on mechanism uses cookie hubapp_shared_id to hold an encrypted session key used by an internal authorisation server. This server maintains session state details while you are logged in. It works on entirely local connections to the server, with no public listening sockets. The cookie is only sent out over secure connections (for more, see below). The authorisation database details are cleared if you explicitly log out or if your session with the RISC OS Open site times out (again, for more, see below).

The Hub cookie and security

The Hub cookie used to identify you as logged in is set up so that your browser will only send it when a secure communications link is in place. Over insecure connections, the RISC OS Open site will believe that you are logged out at all times. This prevents the cookie from being “stolen” off the wire and used on another machine to hijack your session. The cookie holds no personal information itself but includes a key to the authorisation server and that does hold such data. This always ought to be your personal data since you are the person who logged on (!) but it still needs to be kept secure in case you, say, use a public computer (e.g. in a library) and forget to log out, leaving the cookie set on the public machine.

For this reason, the cookie is encrypted so that the actual authorisation server session ID cannot readily be retrieved by simple examination. The cookie only exists for the duration of a web browser session.