Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We're retiring the forums!

The SilverStripe forums have passed their heyday. They'll stick around, but will be read only. We'd encourage you to get involved in the community via the following channels instead:

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Cookie permissions and UK regulations

Go to End

16 Posts   3921 Views


Community Member, 25 Posts

12 May 2011 at 12:23am

Hi All,

As you may be aware there is new legislation being introduced in the UK very soon about the use of cookies and the user having the choice to accpet the cookies or not when browsing a website.

I have a number of SS websites and wondered if anyone has any simple solution to this issue so that we are compliant with the regulations and the user experience is not hindered.

I thought maybe jquery pop up on the first page the user gets to to either accept cookies or to decline them and if declned the user is sent to a static page?

Any suggestions please?



Community Member, 20 Posts

1 October 2011 at 4:00am

Did you come up with a solution? As far as I can tell, session cookies are exempt as it can be argued they are integral to the site's operation. Therefore it is other types of cookies you need to worry about, e.g. analytics cookies and any other cookies your site may use.


Forum Moderator, 1899 Posts

3 October 2011 at 4:04am

Hi jpmcc,

Welcome to the forums!

that is my understanding - if the user requests something that requires some tracking then permission is implict - if you are tracking them without their knowledge for something they didn't obviously intend then you need to do some work.

This gives me another opportunity to post this video poking a little fun at the issue...


Community Member, 20 Posts

3 October 2011 at 8:22pm

Edited: 03/10/2011 8:26pm

There are some core behaviours to address also. If session cookies are OK, the users should still be able to register with a site and log in, however if they have rejected the use of other cookies, then the "remember me" functionality shouldn't be allowed, nor tracking the user as a past member.

The first issue can be overcome by subclassing the the MemberLoginForm, checking your current situation regarding cookie permissions and then removing the checkbox to "remember me" from the field list before the form is rendered. (edit: alternatively come up with your own login form)

For the past member cookie, however, that is set in the Controller init method. You need to call parent::init() in our own controller's init method otherwise Silverstripe issues an error, therefore so far the only way I can see to avoid that cookie is a little bit of direct editing of the Controller class. The code that would normally set the cookie is just wrapped in a cookie preference check, which I have set in a protected member of the child controller class, but also in a session variable so it can be accessed elsewhere.

Regarding requesting permission, I have created a form that will appear on any page, after about 1 second, if the user has not yet set a preference. The user can choose to dismiss the form (sliding to the top of the screen where it can be recalled), but it will keep appearing until a preference has been set. Once the preference has been set, that value is then, oddly, saved as a cookie. Saving the user's cookie preferences in a cookie is also apparently allowed, whether or not their preference is to allow or deny cookies.

Within my main page controller init, I check for the existence of the preference cookie, if I find it then it is used to set the session preference. If there is no preference, then the request form is added to the template. That check is carried out before calling the parent init method.


public function init(){
    * Any other init code here...

The cookie preference can then be checked in a template call to see whether analytics code should be added etc.

btw enjoyed the video. As the video points out, the request form will become annoying, but what can you do?



Forum Moderator, 1899 Posts

3 October 2011 at 9:40pm

then the "remember me" functionality shouldn't be allowed

I would say it is allowed - I've gone into more detail on this and if the users asks for something that can only be achieved by tracking then permission is implicit. the issue is when the user is tracked without any knowledge (therefore there can be no permission at all). Those are the cases that will be heard first.

Personally I am going to wait and see what the industry does as a whole may 2012


Community Member, 20 Posts

3 October 2011 at 9:51pm

Good point. See, it is all open to a bit of interpretation.

I think I'll stay with the remember me being disabled for the time being as it is all working. :-)


Forum Moderator, 1899 Posts

3 October 2011 at 9:54pm

Try watching these videos - the ico guy (who I cannot stop thinking made that horrible banner) gives a talk on the "spirit" of the law...


Community Member, 20 Posts

3 October 2011 at 10:21pm

That is jolly helpful! Cheers.

Go to Top