Hi CouchCMS community,

It's neither a bug nor troubleshooting. Anyhow, I firmly believe that this forum suits my case best.

I have the requirement not to set any cookies for visitors of the website (EU GDPR, data avoidance and stuff). I understand that CouchCMS requires PHP sessions (alongside with a cookie) for administrators and editors, which is fine. Anyhow, CouchCMS creates PHP sessions for all visitors, both CouchCMS users and regular visitors. I don’t use shopping carts or any interactive content. So, technically speaking, I don’t need the session/cookie for regular visitors and would like to omit this cookie whenever possible.

As far as I understand, there is no (built-in) way to turn off session cookies in CouchCMS and to have sessions/cookies only for those visitors who actually visit the backend?

Without having read through all of the source code, I assume the session and the cookie are always created in functions.php, line 2151, when creating a nonce. Well, unless there already is a session for other reasons. Do you think I could just patch the create_nonce() function not to call session_start() in line 2151 and instead provide some other reasonable kind of unique id/randomness? As far as I understand, this will probably break the matching of visitors to nonces as every call to create_nonce() will yield a new, different nonce. And thus, every call to validate_nonce() in line 2162ff, will do this, too. I am aware that my proposed patch will break shopping carts and similar, which I don’t need for this specific website.

Do you believe that my workaround would be a viable---though quirky---solution to my issue? Any advice would be appreciated.

As GDRP allows some cookies without consent, I would accept the session cookie as part of my "plan B". However, I went great lengths to avoid all third party cookies. It would be a pity if the no-cookies approach would fail because of a first party cookie. :|

Best regards