We just got a new law here in sweden that we must inform the visitor of a site if they use cookies and what they are used for and give them a chance to deny that. This law is to be in all of Europe later if I understood correctly.
So I woder what the cookies are used for in Moodle. Noticed you can't log in if you disable cookies.
And I assume its used for latest news.
Cookies are used primarily to maintain the login session.
Moodle uses two cookies IIRC.
- A session cookie, that is set when the user reaches the site, and is expired when the user closes the browser. This is also invalidated when the user logs out.
- A login cookie, that remembers who you are the next time you visit this site.
The main thing is that the cookies are not invasive, and aren't shared with other sites (which is what most people don't like about advt cookies).
In any case, Martin can probably give you more correct information.
Philip
Moodle uses two cookies IIRC.
- A session cookie, that is set when the user reaches the site, and is expired when the user closes the browser. This is also invalidated when the user logs out.
- A login cookie, that remembers who you are the next time you visit this site.
The main thing is that the cookies are not invasive, and aren't shared with other sites (which is what most people don't like about advt cookies).
In any case, Martin can probably give you more correct information.
Philip
Thanks Philip
I know its the advt cookies that people don't like and the cookies in Moodle isn't a problem really.
Just the new law force us to tell people about any cookies and as you metioned that moodle cookies isn't "a bad cookie" and gets erased when logout. But the new law is confusing.
Basically I think the law was to prevent the advt cookies that follows you and can be used to see your site surfing, so you get a chance to deny thoose cookies, but in the process it applies to cookies used in tech purpose too. It also said something about that it only apply to cookies on sites with public information. Since Moodle is a login site I am not sure the law apply.
Two cookies are used by this site.
The essential one is the session cookie, usually called MoodleSession. You must allow this cookie into your browser to provide continuity and maintain your login from page to page. When you log out or close the browser this cookie is destroyed (in your browser and on the server).
The other cookie is purely for convenience, usually called something like MOODLEID. It just remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you. It is safe to refuse this cookie - you will just have to retype your username every time you log in.
(Edit 1: I just noticed Philips explanation which is exactly correct. I wrote mine out because I was thinking of making it a help button on the login page)
(Edit 2: The session cookie is actually now called MoodleSession - changed from PHPSESSID ages ago)
The essential one is the session cookie, usually called MoodleSession. You must allow this cookie into your browser to provide continuity and maintain your login from page to page. When you log out or close the browser this cookie is destroyed (in your browser and on the server).
The other cookie is purely for convenience, usually called something like MOODLEID. It just remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you. It is safe to refuse this cookie - you will just have to retype your username every time you log in.
(Edit 1: I just noticed Philips explanation which is exactly correct. I wrote mine out because I was thinking of making it a help button on the login page)
(Edit 2: The session cookie is actually now called MoodleSession - changed from PHPSESSID ages ago)
Hello,
Can you provide the steps necessary to disable or refuse the MoodleID cookie?
Thank you,
Elizabeth
This is done in the browser, and is broser dependent. You usually configure this in the privacy settins.
In the case of Mozilla/Firefox, you can configure the broser to ask you everytime you get a cookie and see all the cookie details, and accept or refuse the cookie. You can even tell the browser to remember your choice for that particular site.
I seem to remember (it's been ages since I used Explorer) that you can do more or less the same in IE.
Saludos. Iñaki.
In the case of Mozilla/Firefox, you can configure the broser to ask you everytime you get a cookie and see all the cookie details, and accept or refuse the cookie. You can even tell the browser to remember your choice for that particular site.
I seem to remember (it's been ages since I used Explorer) that you can do more or less the same in IE.
Saludos. Iñaki.
Thank you Iñaki. This is most helpful and timely as we are configuring the settings next week.
Sincerely,
Elizabeth
But is there a way to disable the MOODLEID cookie all together?
Best regards,
Makalo
As far as I know, no. Unless you only use 'guest' access all over Moodle, i.e., all of your content is public.
Saludos. Iñaki.
Saludos. Iñaki.
It's not currently an option. However, it is trivial for a developer to deactivate the cookie by modifying the code in lib/moodlelib.php.
I have attached a diff file which can be used to modify moodle so that adding the line
$CFG->disable_id_cookie = true;
to your config.php will remove the use of the MoodleID cookie (the session cookie will remain - as others have said, it's essential to operation, and doesn't last beyond the session).
Martin - are you happy for me to commit this to head? Look in the diff and you'll see it's simple.
I have attached a diff file which can be used to modify moodle so that adding the line
$CFG->disable_id_cookie = true;
to your config.php will remove the use of the MoodleID cookie (the session cookie will remain - as others have said, it's essential to operation, and doesn't last beyond the session).
Martin - are you happy for me to commit this to head? Look in the diff and you'll see it's simple.
Do not commit it into HEAD, I think it would break the cookie test if enabled and you would not be able to login at all! You would have to disable the cookies test in the login page too.
It might be possible to rewrite the cookie test to use the test cookie instead of the persistent MoodleID and add "Remember me check box" to login page. Maybe after 1.8 release, if you wish create a feature request and assign it to me
I would recommend using alternative login page for now that would be explaining the use of cookies on the site. It is usually not a problem if cookies are stored on private computers and if you use public one, all cookies should be deleted automatically anyway after closing the browser.
The only way to allow Moodle operation without any cookies now is $CFG->usesid=1; in config PHP - but it is not fully functioning yet
It might be possible to rewrite the cookie test to use the test cookie instead of the persistent MoodleID and add "Remember me check box" to login page. Maybe after 1.8 release, if you wish create a feature request and assign it to me
I would recommend using alternative login page for now that would be explaining the use of cookies on the site. It is usually not a problem if cookies are stored on private computers and if you use public one, all cookies should be deleted automatically anyway after closing the browser.
The only way to allow Moodle operation without any cookies now is $CFG->usesid=1; in config PHP - but it is not fully functioning yet
OK! That'll teach me to go meddling in functions where I oughtn't to go.
Martin mentioned a help button describing the use of cookies, which would be a good way to go, especially given the apparent implications of the EU directive.
Martin mentioned a help button describing the use of cookies, which would be a good way to go, especially given the apparent implications of the EU directive.
I am afraid to touch that code myself even when I did most of it
I agree that this should be done soon (after the 1.7 release), I am living in EU too..
I agree that this should be done soon (after the 1.7 release), I am living in EU too..
Note this thread is three years old. 
This help button is there on the login page, in all languages:
http://moodle.org/help.php?module=moodle&file=cookies.html
This help button is there on the login page, in all languages:
http://moodle.org/help.php?module=moodle&file=cookies.html
Petr,
How about changing the MOODLEID_ time limit to expire after 1 minute or so. I am able to do it but I am not sure that it will mess anything else up? Can you please advise if possible? Thanks in advance.
from this:
$cookiename = 'MOODLEID_'.$CFG->sessioncookie;
$days = 60;
$seconds = DAYSSECS*$days;
to this:
$cookiename = 'MOODLEID_'.$CFG->sessioncookie;
$days = 1;
$seconds = HOURSECS*$days;
The reason we want to have this expire sooner is because of security issue with the browser retaining username. Just wanted to get everybody's feedback on this.
How about changing the MOODLEID_ time limit to expire after 1 minute or so. I am able to do it but I am not sure that it will mess anything else up? Can you please advise if possible? Thanks in advance.
from this:
$cookiename = 'MOODLEID_'.$CFG->sessioncookie;
$days = 60;
$seconds = DAYSSECS*$days;
to this:
$cookiename = 'MOODLEID_'.$CFG->sessioncookie;
$days = 1;
$seconds = HOURSECS*$days;
The reason we want to have this expire sooner is because of security issue with the browser retaining username. Just wanted to get everybody's feedback on this.
Hi, did this on my production site with no problems, I set it to 0.001 days 
The one problem we saw with doing this is that if you set it for too short of a time ( say 30 seconds ) the cookie might expire if the user sits on the login page for too long. When they enter their credentials an error about cookies being enabled displays and they must enter their info again to login. We set it to expire after 20 minutes to fix this issue.
Eli,
Did you ever get a clear answer to this question. I am trying out if MoodleID can be disabled too because we use it throughout our hospital where multiple users log on and use our computers. The id that we use is also their employeeid numbers which people don't like the idea of that being left for others to see.
In reply to Martin Dougiamas
This forum post has been removed
The content of this forum post has been removed and can no longer be accessed.
Martin,
Is there a way to maintain the cookie from the CAS rather than deleting it when you close all the browser instances.
Thanks & Regards... Jerald
You might want to start a new topic for help with this, rather than replying to one that:
- is about a different issue, and
- is over 8 years old.