So I woder what the cookies are used for in Moodle. Noticed you can't log in if you disable cookies.
And I assume its used for latest news.
Moodle uses two cookies IIRC.
- A session cookie, that is set when the user reaches the site, and is expired when the user closes the browser. This is also invalidated when the user logs out.
- A login cookie, that remembers who you are the next time you visit this site.
The main thing is that the cookies are not invasive, and aren't shared with other sites (which is what most people don't like about advt cookies).
In any case, Martin can probably give you more correct information.
I know its the advt cookies that people don't like and the cookies in Moodle isn't a problem really.
Just the new law force us to tell people about any cookies and as you metioned that moodle cookies isn't "a bad cookie" and gets erased when logout. But the new law is confusing.
Basically I think the law was to prevent the advt cookies that follows you and can be used to see your site surfing, so you get a chance to deny thoose cookies, but in the process it applies to cookies used in tech purpose too. It also said something about that it only apply to cookies on sites with public information. Since Moodle is a login site I am not sure the law apply.
The essential one is the session cookie, usually called MoodleSession. You must allow this cookie into your browser to provide continuity and maintain your login from page to page. When you log out or close the browser this cookie is destroyed (in your browser and on the server).
The other cookie is purely for convenience, usually called something like MOODLEID. It just remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you. It is safe to refuse this cookie - you will just have to retype your username every time you log in.
(Edit 1: I just noticed Philips explanation which is exactly correct. I wrote mine out because I was thinking of making it a help button on the login page)
(Edit 2: The session cookie is actually now called MoodleSession - changed from PHPSESSID ages ago)
Can you provide the steps necessary to disable or refuse the MoodleID cookie?
In the case of Mozilla/Firefox, you can configure the broser to ask you everytime you get a cookie and see all the cookie details, and accept or refuse the cookie. You can even tell the browser to remember your choice for that particular site.
I seem to remember (it's been ages since I used Explorer) that you can do more or less the same in IE.
Thank you Iñaki. This is most helpful and timely as we are configuring the settings next week.
But is there a way to disable the MOODLEID cookie all together?
I have attached a diff file which can be used to modify moodle so that adding the line
$CFG->disable_id_cookie = true;
to your config.php will remove the use of the MoodleID cookie (the session cookie will remain - as others have said, it's essential to operation, and doesn't last beyond the session).
Martin - are you happy for me to commit this to head? Look in the diff and you'll see it's simple.
It might be possible to rewrite the cookie test to use the test cookie instead of the persistent MoodleID and add "Remember me check box" to login page. Maybe after 1.8 release, if you wish create a feature request and assign it to me
The only way to allow Moodle operation without any cookies now is $CFG->usesid=1; in config PHP - but it is not fully functioning yet
I agree that this should be done soon (after the 1.7 release), I am living in EU too..
This help button is there on the login page, in all languages:
How about changing the MOODLEID_ time limit to expire after 1 minute or so. I am able to do it but I am not sure that it will mess anything else up? Can you please advise if possible? Thanks in advance.
$cookiename = 'MOODLEID_'.$CFG->sessioncookie;
$days = 60;
$seconds = DAYSSECS*$days;
$cookiename = 'MOODLEID_'.$CFG->sessioncookie;
$days = 1;
$seconds = HOURSECS*$days;
The reason we want to have this expire sooner is because of security issue with the browser retaining username. Just wanted to get everybody's feedback on this.
Did you ever get a clear answer to this question. I am trying out if MoodleID can be disabled too because we use it throughout our hospital where multiple users log on and use our computers. The id that we use is also their employeeid numbers which people don't like the idea of that being left for others to see.
Is there a way to maintain the cookie from the CAS rather than deleting it when you close all the browser instances.
Thanks & Regards... Jerald
You might want to start a new topic for help with this, rather than replying to one that:
- is about a different issue, and
- is over 8 years old.