Thread

I’m looking at using EE for a client with very stringent privacy requirements.  No cookies should be set on any part of the website for users simply browsing through the site.  (This *excludes* users who need access to the admin area.)

Does EE set any cookies for any reason when a user browses through an EE website?  If so, can those cookies be disabled?

Hi, Brettro,

You are able to set “sessions only” for the front-end which should not set any cookies.  I would double check this, however, and get back to you.

Hi, Brettro,

Alright, here’s the low-down.  Even with “sessions only” set, ExpressionEngine sets some cookies:

* exp_last_visit
* exp_last_activity

* exp_tracker also is set and expires at the end of the session, but the other two will remain.

Changing this behavior would require a hack to the core files.

Hey Lisa,

Thank you for the follow-up!  Are these cookies set when a random user surfs an EE managed website? Or are they set when a user logs in to the admin area?  I just want to clarify so I’m sure I understand.

Thanks!!

The cookies mentioned are for any visitor, even logged out.

I’m looking at using EE for a client with very stringent privacy requirements.  No cookies should be set on any part of the website for users simply browsing through the site.

That’s an interesting requirement. It’s been many years since I ran into a client with such concerns. Cookies are about as benign as you can get. What’s their reasoning?

It’s a U.S. government client and the privacy requirements for federal websites are stringent.  More clearly, session cookies are allowed, but persistent cookies are not without a justification which is published, reviewed, and renewed annually.

It’s a U.S. government client and the privacy requirements for federal websites are stringent.  More clearly, session cookies are allowed, but persistent cookies are not without a justification which is published, reviewed, and renewed annually.

Interesting.

This dates back to 1999 and a government policy was issued banning cookies—except when it would be OK and approval granted. So much for the ban. Now the government willing to visit the issue again and may remove the ban (thanks to a CIO who appears to know something about the technology of cookies).

Changing this behavior would require a hack to the core files.

Lisa,

When you say it would require a hack to the core files, is this something that I can actually do? I realize a hack is not desirable, but I would hate to have to remove EE from consideration because of my cookie requirements.  It is, in my opinion, the best option out there.

Hi, Brettro - the source code is not encrypted (except in the 2.0 Trial); it’s just PHP.  So certainly you can modify that code; but it can affect your ability to upgrade, and your ability to receive support.  You would also need to track your code modifications to re-apply them after an upgrade.

Lisa, thank you so much for your quick and helpful replies!  Hopefully this will be my last question.  Based on the cookie’s names, I am assuming that they are set for use by the Statistics module to help determine who might be signed in online and for other basic tracking statistics.  Can you confirm that for me?  Or, if they aren’t used for that purpose, explain what they are used for?

Thanks so much!!

* exp_last_visit
* exp_last_activity

This stores a date/time stamp for use, yes, in items like the online users list.

* exp_tracker

This handles items like login form redirects (if you don’t set it, should go back 2 pages).  That sort of thing.

It is really basic information, you can check the contents by examining the cookies on your machine.

Lisa, would a better-than-a-hack approach be to build a plug-in that changes the persistent cookies to session cookies?  Is that even a possibility??

Hi, Brettro - I’m not sure an add-on can make that change.  Here are our Dev Docs.

If one can, it would be an extension to modify EE’s behavior.  I think it’s likely you’ll need a hack for this though.

what can we do to delete these cookies ?