ColdFusion Cookie and EU Cookie Law

Question

ColdFusion sets the CFID and CFTOKEN cookie on every single page, obviously connecting that to a session on the server.

However, with the EU cookie law coming up I'm not how to sort this out. The CFID and CFTOKEN cookie is only needed if I need to use the SESSION scope in my application.

Probably 90% of our website tools don't need to use the session. However our login system obviously uses the SESSION, and we have a few tools that we store user preferences in.

If I disable the CFID and CFTOKEN cookie from being set in the ColdFusion administrator, can I later turn that on for individual requests, based on a per user basis?

ie. if a user says "yes I want cookies", can I then request a ColdFusion page that sets the cookies for future use?

Sorry if that question is a little unclear.

Answer 1

OK if you don't want to rely on the exception there's a couple of possibilities:

If you really want to disable/enable cookies dynamically you can use the setclientcookies="no" attribute in the cfapplication tag. This could be a dynamic value depending on whether they had accepted or not - so it defaults to no, but if they select to accept cookies later would switch to yes.

Or you could do away with cookies altogether and simply pass URL parameters - see "Using client and session variables without cookies" here: http://tinyurl.com/2c6jyfy

Answer 2

Cookies such as CFID and CFTOKEN would be very likely to fall within the exception to the new law as effectively they are required for your site to operate and in themselves pose no threat to privacy.

Session cookies like these are generally being accepted as being excluded from the requirement for consent. See the ICO guidance document here: http://t.co/kvNH1QME - pages 9-10 describe the exception.