Problems, need help? Have a tip or advice? Post it here.
2 posts Page 1 of 1
Hi CouchCMS community,

It's neither a bug nor troubleshooting. Anyhow, I firmly believe that this forum suits my case best.

I have the requirement not to set any cookies for visitors of the website (EU GDPR, data avoidance and stuff). I understand that CouchCMS requires PHP sessions (alongside with a cookie) for administrators and editors, which is fine. Anyhow, CouchCMS creates PHP sessions for all visitors, both CouchCMS users and regular visitors. I don’t use shopping carts or any interactive content. So, technically speaking, I don’t need the session/cookie for regular visitors and would like to omit this cookie whenever possible.

As far as I understand, there is no (built-in) way to turn off session cookies in CouchCMS and to have sessions/cookies only for those visitors who actually visit the backend?

Without having read through all of the source code, I assume the session and the cookie are always created in functions.php, line 2151, when creating a nonce. Well, unless there already is a session for other reasons. Do you think I could just patch the create_nonce() function not to call session_start() in line 2151 and instead provide some other reasonable kind of unique id/randomness? As far as I understand, this will probably break the matching of visitors to nonces as every call to create_nonce() will yield a new, different nonce. And thus, every call to validate_nonce() in line 2162ff, will do this, too. I am aware that my proposed patch will break shopping carts and similar, which I don’t need for this specific website.

Do you believe that my workaround would be a viable---though quirky---solution to my issue? Any advice would be appreciated.

As GDRP allows some cookies without consent, I would accept the session cookie as part of my "plan B". However, I went great lengths to avoid all third party cookies. It would be a pity if the no-cookies approach would fail because of a first party cookie. :|

Best regards
Copying my email discussion with Florian here as this topic seems to be of interest to others too -


OK, so this is an interesting issue :)

'Session', as you know, is intrinsic to how PHP works and tampering with it could lead to unforeseen issues going ahead.

From what I could gather about GDPR (and, of course, you'll know better than me), not all cookies are avoidable and so there is a provision to
announce which cookies are being used by the site e.g.

I wonder if you have already explored this way?

Thanks and regards


Thank you for your research on Cookies and GDPR. I am aware that some cookies are allowed without prior consent. That’s “plan B” :) However, we spent a lot of time to create a website without any third party cookies and I would be really sad if our no-cookies policy would fail because of a first-party cookie.

Thanks and best regards

2 posts Page 1 of 1