Allan Thraen
Apr 4, 2011
  10767
(3 votes)

Going Cookie less with EPiServer CMS

Over the weekend I found some time to look more into the much discussed cookie directive – and at the same time think some thoughts about how we can still leverage personalization to make a great user experience on a web site without bothering visitors with accepting a bunch of “Allow Cookie” popups.  As so often before, I ended up putting my thoughts into code which you can find on my other blog - http://allantech.blogspot.com/2011/04/cookieless-session-state-in-aspnet.html.

I will here share some of the essentials in case you are ever in need of a web site without cookies.

In essence I found it fairly easy to replace the Session State ID mechanism in ASP.NET with my own provider that doesn’t rely on cookies or messed-up URLs – but simply takes a fingerprint of your browser configuration and IP in order to determine your unique session. It seems to work fairly well, and now I even made a few zip-packages you can use with EPiServer CMS. Just put the assembly in the bin folder of your site and add the attribute sessionIDManagerType="EPiServer.Research.NoCookies.CookielessIDManager, CookielessSessionID" to the sessionState tag in your web.config.

Download the binaries here or the source here.

I have only tested this with CMS 6 R2 RTM – but I see no reason why it shouldn’t work all the way back to CMS 5.

This takes care of the ASP.NET Session cookie – while still allowing you to use session state. Session state is among other things heavily used in many of the new built-in criteria for personalization in EPiServer CMS 6 R2. It does not, however, remove any cookies that has already been sat, or replaces any custom cookies (or other EPiServer cookies) on your web site. These are some of the other cookies I often see at an EPiServer site:

  • EPi:NumberOfVisits – this is used if you are using the “Number of Visits” criterion. Remove it from all your visitor groups, and this cookie won’t be set.
  • If you have installed EPiTrace, Live Monitor or EPiServer CMO / LPO there’s also a number of cookies that will be set in order to track visitors.
  • Google Analytics – these cookies are almost everywhere
  • Cookies like ‘.EPiServerLogin’, ‘EPiDPCKEY’, ‘.ASPXRoles’ and probably a few more – these are cookies that are only used if you log in on a site. Not such a big problem as long as you clearly state on the login page that cookies will be used if you log in.

 

I hope you’ll find this information helpful.

Apr 04, 2011

Comments

Jonathan Sewell
Jonathan Sewell Apr 8, 2011 11:15 AM

I wonder if the directive will be more general and require that users give consent for any mechanism that is accessing their information, identifying them, or tracking them?

Another interesting way of storing session information....check out line 38 of this polyfill....https://gist.github.com/350433 (using window.name in IE)

Apr 12, 2011 07:16 PM

Nice idea and answer to the question about cookies for people who are concerned. :)

michael.marshall@justretirement.com
michael.marshall@justretirement.com Dec 20, 2011 05:53 PM

Jonathan is correct - the directive is aimed at tracking - not just at cookies.

From "Guidance on the rules on use of cookies and similar technologies" by the ICO.

The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).

Please login to comment.
Latest blogs
Multiple Anonymous Carts created from external Head front fetching custom Api

Scenario and Problem Working in a custom headless architecture where a NextJs application hosted in Vercel consumes a custom API built in a...

David Ortiz | Oct 11, 2024

Content Search with Optimizely Graph

Optimizely Graph lets you fetch content and sync data from other Optimizely products. For content search, this lets you create custom search tools...

Dileep D | Oct 9, 2024 | Syndicated blog

Omnichannel Analytics Simplified – Optimizely Acquires Netspring

Recently, the news broke that Optimizely acquired Netspring, a warehouse-native analytics platform. I’ll admit, I hadn’t heard of Netspring before,...

Alex Harris - Perficient | Oct 9, 2024 | Syndicated blog

Problem with language file localization after upgrading to Optimizely CMS 12

Avoid common problems with xml file localization when upgrading from Optimizely CMS 11 to CMS 12.

Tomas Hensrud Gulla | Oct 9, 2024 | Syndicated blog

Optimizely Autocomplete (Statistics)

A user starts typing in the search input, and it returns suggestions for phrases they might be searching for. How to achieve this?

Damian Smutek | Oct 9, 2024 | Syndicated blog

Optimizely Forms: You cannot submit this form because an administrator has turned off data storage.

Do not let this error message scare you, the solution is quite simple!

Tomas Hensrud Gulla | Oct 4, 2024 | Syndicated blog