ExpressionEngine cookies

ee1x_cookies.md

ExpressionEngine 1.x cookies

This document outlines all of the cookies use by ExpressionEngine 1.x. With the EU cookie law coming into force on May 26th, it's important to know what cookies are set, which are 'essential' and why they are there. Hopefully this will help advise your decision process when altering your site to adhere.

I haven't yet gotten to any special addons etc. or even forums or comments. Please do fork and and send pull requests if you'd care to add anything.

Non essential

exp_last_visit

Sets the datetime that the user last visited the site, and is set for both guests and logged in users. If not set, is automatically set to 10 years ago. Affects guests and logged in users.

exp_tracker

Tracks the last 5 pages viewed by the user, and is used primarily for redirection after logging in etc. Affects guests and logged in users.

Essential

exp_last_activity

Every time the state is updated (the page reloaded) the last activity is set to the current datetime. Used to determine expiry. This is essential for logged in users, but not for guests - it is set for both.

exp_sessionid

A uniquely generated ID that corresponds to the session_id column in the exp_session table. Used when cookie and session are set as the session type. Used only for logged in members.

exp_uniqueid

Matches the unique_id field in the exp_members table. Randomly generated by the FNS class at registration. Used only for logged in members.

exp_userhash

The encrypted password of the currently logged in user. Set if you choose the cookies and session ID method for sessions (cs in your config.) Used only for logged in members.

exp_anon

A flag set by the user to determine if they are listed in the online users.

exp_expiration

Determines the length of the session for a logged in user. There are two options for this cookie: if the user has selected remember me then it is set to 1 year, and if not then it's set to the datetime that the user logged in. Used only for logged in members.

ee2x_cookies.md

ExpressionEngine 2.x cookies

With the recent 2.5 update, EllisLab have addressed this issue head on. They've added a new set_cookie_end hooks to hijack cookie setting and given us a new Cookie Consent module. You can read more about it in their two blog posts The Cookie Consent Module & EU Cookie Legislation and ExpressionEngine 2.5.0 Released.

The cookies in 2.x are in fact largely the same as 1.x: it's their implementation in the core that is different.

Non essential

exp_last_visit

Sets the datetime that the user last visited the site, and is set for both guests and logged in users. If not set, is automatically set to 10 years ago. Affects guests and logged in users.

exp_tracker

Tracks the last 5 pages viewed by the user, and is used primarily for redirection after logging in etc. Affects guests and logged in users.

Essential

exp_last_activity

Every time the state is updated (the page reloaded) the last activity is set to the current datetime. Used to determine expiry. This is essential for logged in users, but not for guests - it is set for both.

exp_sessionid

A uniquely generated ID that corresponds to the session_id column in the exp_session table. Used when cookie and session are set as the session type. Used only for logged in members.

exp_uniqueid

Matches the unique_id field in the exp_members table. Randomly generated by the functions class at registration. Used only for logged in members.

exp_userhash

The encrypted password of the currently logged in user. Set if you choose the cookies and session ID method for sessions (cs in your config.) Used only for logged in members.

exp_anon

A flag set by the user to determine if they are listed in the online users.

exp_expiration

Determines the length of the session for a logged in user. There are two options for this cookie: if the user has selected remember me then it is set to 1 year, and if not then it's set to the datetime that the user logged in. Used only for logged in members.