Local Navigation
- S&G Home
- S&G About
- Policy
- Infrastructure
-
Technical
-
Application Development
- Audio-Video Standard
-
Barlesque Implementation
-
Barley Implementation
- Browser Support
- C++ Coding
-
Clickthrough (Go-) Tracking
- Cookies
- CSS
- Customising Content
- Database Design & Development
- Downloads
- File Extensions
-
.htaccess
- JavaScript
- Mapping
- Multimedia Plug-ins
- Perl Coding
-
RSS
- Semantic Mark-up
- XHTML Integrity
- XML
-
XSSI (eXtended Server Side Includes)
-
Application Development
- Design & Editorial
- Interactivity
- Accessibility
- Glossary
- Contacts
Customising Content Using Cookies, Registration and Single Sign-On (SSO) v1.2
1. Overview
1.1. This document sets out the standards for customising users' experiences of your site. You can achieve this by two methods:
- By placing a cookie on their computer, which will mean that the customisation is specific to that computer; or
- By using registration, which will identify the actual user. This will require you to comply with the Data Protection Act (1988). See Technical Implementation of DPA Version 1.0 for further information.
2. How to Decide Between Using Cookies or Registration
2.1. If you want to do any of these things, you SHOULD use cookies:
- When you want to store and make use of user settings without requiring the user to log on with a username and password; that is, you want to use the easiest (lowest cost to the user) interface.
- When the information does not need to be secure (it's not personal information).
- When you do not need to guarantee that the person, rather than the computer, is who they say they are (via the security of a username and password).
- Examples: news cookie for UK/Global news preferences; postcode/location preference on home page or weather site.
2.2. If you want to do any of these things, you SHOULD use registration:
- When you need users to log on with a username and password and you are not concerned about the potential drop-out rate of asking users to do this.
- When the information does need to be secure; that is, it's personal information, rather than information on a computer or unique user, and will thus require DPA-compliance.
- When you need to guarantee that the person is who they say they are (when knowing what computer they're using isn't enough).
- When you need to be able to contact the user; for example, the user is part of a community that you are creating, and you want/need to be able to contact all the members of the community as part of your project.
- Examples: user data on Fat Nation (needs to be DPA-compliant and secure in transit); any data entered on a bbc.co.uk message board (needs to be from a specific registered user login, must not be able to be spoofed by someone else).
3. Standards For Use of Cookies
3.1. If you are going to introduce a cookie to enable user settings to be retained across sessions, you MUST abide by the Cookie Standards.
4. Standards For Use of Registration
4.1. If you need to use registration, then you either:
4.1.1. MUST use Single-Sign On (SSO) – for usage instructions see New Media/Single Sign-on[
internal BBC doc – gain access via your Technical Account Manager]; or
4.1.2. MUST gain approval for using another registration system from the advisors on the Registration Working Group (contact Editor, Standards and Guidelines) before implementing it in your website project.
4.2. 
The use of any other registration system than SSO must be supported by a business case for why the proposed alternative is considered to be better suited for the project. This should include:
- Assurance that the proposed system provides secure storage of personal details, which complies with DPA (see Information Security and Privacy Standards).
- Reasons why the benefits of using the system outweigh the benefits of using SSO (which already provides the user with one member name and one password for access to an increasing number of services across bbc.co.uk).
5. CAPTCHAs
5.1. Due to accessibility concerns you MUST NOT use CAPTCHAs on bbc.co.uk without first discussing this with the Editor, Standards and Guidelines.
6. Note on Secure Data In-Transit Requirements
6.1 You MUST remember your responsibilities under the Data Protection Act, and the scope for users posting inappropriate material. See section 6.4 of the BBC Online Editorial Guidelines.
6.2 All bbc.co.uk content or services which send personal information (see Information Security and Privacy Standard for a definition) over the Internet MUST ONLY send that information over SSL (https) connections. Refer to Server-side Application Development Standards and XHTML Integrity Standards for more information.
7. Document History
| Date | Version | Change | Author |
|---|---|---|---|
| 07/04/2008 | v1.2 | CAPTCHA clause promoted following review by Richard Northover. | Victoria Jolliffe |
| 31/03/2008 | v1.1 | Document reorganised slightly. Clause added on use of CAPTCHAs. | Victoria Jolliffe |
| 25/03/2005 | v1.00 | Renumbered as v1.00 on final approval from Standards Exec | Jonathan Hassell |
| 14/03/2005 | v0.15 | Clarifying revisions by Sally Underwood | Sally Underwood |
| 14/03/2005 | v0.14 | Brief updates from Jonathan Hassell, pre-presentation to the Tech Forum | Jonathan Hassell |
| 25/02/2005 | v0.13 | Updates after some further consideration - now needs to be reviewed by all on the Registration Working Group, and then past the Technical Forum | Jonathan Hassell |
| 07/01/2005 | v0.12 | Minor revisions after approved updates to Cookie Standards | Jonathan Hassell |
| 05/10/2004 | v0.11 | After comments by Tim West | Jonathan Hassell |
| 30/09/2004 | v0.1 | First version of potential doc - just a high-level view of the standards which need to be in this document | Jonathan Hassell |
Document editor: Editor, Standards & Guidelines. If you have any comments, questions or requests relating to this document, please contact the Editor, Standards & Guidelines.
Like all other Future Media Standards & Guidelines, this page is updated on a regular basis, through the process described on About Standards & Guidelines.
© MMIX