General developer forum

 
 
Picture of Patrik Nilsson
Cookies
 

We just got a new law here in sweden that we must inform the visitor of a site if they use cookies and what they are used for and give them a chance to deny that. This law is to be in all of Europe later if I understood correctly.
So I woder what the cookies are used for in Moodle. Noticed you can't log in if you disable cookies.
And I assume its used for latest news.

 
Average of ratings: -
Picture of Philip Tellis
Re: Cookies
 
Cookies are used primarily to maintain the login session.

Moodle uses two cookies IIRC.

- A session cookie, that is set when the user reaches the site, and is expired when the user closes the browser. This is also invalidated when the user logs out.

- A login cookie, that remembers who you are the next time you visit this site.

The main thing is that the cookies are not invasive, and aren't shared with other sites (which is what most people don't like about advt cookies).

In any case, Martin can probably give you more correct information.

Philip
 
Average of ratings: -
Picture of Patrik Nilsson
Re: Cookies
 

Thanks Philip

I know its the advt cookies that people don't like and the cookies in Moodle isn't a problem really.
Just the new law force us to tell people about any cookies and as you metioned that moodle cookies isn't "a bad cookie" and gets erased when logout. But the new law is confusing.
Basically I think the law was to prevent the advt cookies that follows you and can be used to see your site surfing, so you get a chance to deny thoose cookies, but in the process it applies to cookies used in tech purpose too. It also said something about that it only apply to cookies on sites with public information. Since Moodle is a login site I am not sure the law apply.

 
Average of ratings: -
Martin in black and white
Re: Cookies
Group DevelopersGroup Documentation writersGroup Moodle HQGroup Particularly helpful MoodlersGroup Testers
Two cookies are used by this site.

The essential one is the session cookie, usually called MoodleSession. You must allow this cookie into your browser to provide continuity and maintain your login from page to page. When you log out or close the browser this cookie is destroyed (in your browser and on the server).

The other cookie is purely for convenience, usually called something like MOODLEID. It just remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you. It is safe to refuse this cookie - you will just have to retype your username every time you log in.

(Edit 1: I just noticed Philips explanation which is exactly correct. I wrote mine out because I was thinking of making it a help button on the login page)

(Edit 2: The session cookie is actually now called MoodleSession - changed from PHPSESSID ages ago)
 
Average of ratings: -
Picture of Eli Barton
Re: Cookies (Disable MoodleID Cookie)
 

Hello,

Can you provide the steps necessary to disable or refuse the MoodleID cookie?

Thank you,

Elizabeth

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Cookies (Disable MoodleID Cookie)
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
This is done in the browser, and is broser dependent. You usually configure this in the privacy settins.

In the case of Mozilla/Firefox, you can configure the broser to ask you everytime you get a cookie and see all the cookie details, and accept or refuse the cookie. You can even tell the browser to remember your choice for that particular site.

I seem to remember (it's been ages since I used Explorer) that you can do more or less the same in IE.

Saludos. Iñaki.
 
Average of ratings: -
Picture of Eli Barton
Re: Cookies (Disable MoodleID Cookie)
 

Thank you Iñaki. This is most helpful and timely as we are configuring the settings next week.

Sincerely,

Elizabeth

 
Average of ratings: -
Picture of Makalo Motsamai
Re: Cookies (Disable MoodleID Cookie)
 

But is there a way to disable the MOODLEID cookie all together?

Best regards,

Makalo

 
Average of ratings: -
Picture of Iñaki Arenaza
Re: Cookies (Disable MoodleID Cookie)
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers
As far as I know, no. Unless you only use 'guest' access all over Moodle, i.e., all of your content is public.

Saludos. Iñaki.
 
Average of ratings: -
Picture of Dan Stowell
Re: Cookies (Disable MoodleID Cookie)
 
It's not currently an option. However, it is trivial for a developer to deactivate the cookie by modifying the code in lib/moodlelib.php.

I have attached a diff file which can be used to modify moodle so that adding the line

$CFG->disable_id_cookie = true;

to your config.php will remove the use of the MoodleID cookie (the session cookie will remain - as others have said, it's essential to operation, and doesn't last beyond the session).

Martin - are you happy for me to commit this to head? Look in the diff and you'll see it's simple.
 
Average of ratings: -
Picture of Petr Škoda
Re: Cookies (Disable MoodleID Cookie)
Group DevelopersGroup Documentation writersGroup Moodle HQGroup Particularly helpful Moodlers
Do not commit it into HEAD, I think it would break the cookie test if enabled and you would not be able to login at all! You would have to disable the cookies test in the login page too.

It might be possible to rewrite the cookie test to use the test cookie instead of the persistent MoodleID and add "Remember me check box" to login page. Maybe after 1.8 release, if you wish create a feature request and assign it to me wink

I would recommend using alternative login page for now that would be explaining the use of cookies on the site. It is usually not a problem if cookies are stored on private computers and if you use public one, all cookies should be deleted automatically anyway after closing the browser.


The only way to allow Moodle operation without any cookies now is $CFG->usesid=1; in config PHP - but it is not fully functioning yet sad
 
Average of ratings: -
Picture of Dan Stowell
Re: Cookies (Disable MoodleID Cookie)
 
OK! That'll teach me to go meddling in functions where I oughtn't to go.

Martin mentioned a help button describing the use of cookies, which would be a good way to go, especially given the apparent implications of the EU directive.
 
Average of ratings: -
Picture of Petr Škoda
Re: Cookies (Disable MoodleID Cookie)
Group DevelopersGroup Documentation writersGroup Moodle HQGroup Particularly helpful Moodlers
I am afraid to touch that code myself even when I did most of it wink

I agree that this should be done soon (after the 1.7 release), I am living in EU too..
 
Average of ratings: -
Martin in black and white
Re: Cookies (Disable MoodleID Cookie)
Group DevelopersGroup Documentation writersGroup Moodle HQGroup Particularly helpful MoodlersGroup Testers
Note this thread is three years old.  smile

This help button is there on the login page, in all languages:

   http://moodle.org/help.php?module=moodle&file=cookies.html
 
Average of ratings: -
Picture of Luciano Rodriguez
Re: Cookies (Disable MoodleID Cookie)
 
Petr,
How about changing the MOODLEID_ time limit to expire after 1 minute or so. I am able to do it but I am not sure that it will mess anything else up? Can you please advise if possible? Thanks in advance.

from this:

$cookiename = 'MOODLEID_'.$CFG->sessioncookie;

$days = 60;
$seconds = DAYSSECS*$days;

to this:

$cookiename = 'MOODLEID_'.$CFG->sessioncookie;

$days = 1;
$seconds = HOURSECS*$days;


The reason we want to have this expire sooner is because of security issue with the browser retaining username. Just wanted to get everybody's feedback on this. smile
 
Average of ratings: -
Picture of Gerald Thomas
Re: Cookies (Disable MoodleID Cookie)
 
Hi, did this on my production site with no problems, I set it to 0.001 days smile
 
Average of ratings: -
Picture of Jordan Zebor
Re: Cookies (Disable MoodleID Cookie)
 
The one problem we saw with doing this is that if you set it for too short of a time ( say 30 seconds ) the cookie might expire if the user sits on the login page for too long. When they enter their credentials an error about cookies being enabled displays and they must enter their info again to login. We set it to expire after 20 minutes to fix this issue.
 
Average of ratings: -
Picture of Rachelle Hunt
Re: Cookies (Disable MoodleID Cookie)
 

Eli,

Did you ever get a clear answer to this question. I am trying out if MoodleID can be disabled too because we use it throughout our hospital where multiple users log on and use our computers.  The id that we use is also their employeeid numbers which people don't like the idea of that being left for others to see. 

 
Average of ratings: -
Picture of Rik Plattel
Re: Cookies
 
I have moodle running on a mac mini and it was directly connected to the internet through a privat internet line. custumers were using it without any problem.
now I took it to our office and suddenly our customer are not able to login anymore with internet explorer.
the browser of the customer has to accept cookies
with firefox we don not have a problem
what should I do? Please help.
Rik
 
Average of ratings: -
Picture of Jerald Fernando
Re: Cookies
 

Martin,

Is there a way to maintain the cookie from the CAS rather than deleting it when you close all the browser instances.

Thanks & Regards... Jerald

 
Average of ratings: -
Picture of Alex Walker
Re: Cookies
Group Particularly helpful Moodlers

You might want to start a new topic for help with this, rather than replying to one that:

  • is about a different issue, and
  • is over 8 years old.
 
Average of ratings: -