I am just looking for some advice on the new UK Cookie Law and how it affects PHP sessions. I understand that you do not need the users to opt in when a cookie is "strictly necessary" and the example given is adding an item to a shopping cart.

I am using similar functionality that remembers what you have stored in a contact form, which I feel is strictly necessary use of a session and therefore no opt in is required.

However the confusion for me arises because I have a session_start(); at the top of each page, which means the cookie is set straight away. Some users will not then go to use the contact form, so this means that the cookie is not strictly necessary for them.

I could remove session_start(); from the top of each page, but this functionality is used throughout a number of websites and it would be preferable if we could leave it in.

Could anyone shed any more light on this?

The simple answer is that you're probably going to be okay, the extent to which this law will even be enforced is massively up for debate anyway.

We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action.

There is a balance to be struck though, as not all cookies are equal, and our enforcement approach will bear this in mind.

For example, someone may complain about a cookie placed without their consent, but if it was just used to remember essential details rather than to gather information to be used for marketing purposes, then it may not be appropriate to act.

(Source: The ICO's Dave Evans on EU cookie law compliance)

From what I have heard, the ICO is going to be fairly liberal in the interpretation of the law, the most important thing to do is show that you are making changes to comply with the spirit of the law.

I think that as the form is essential to the site, you don't need to prove that it is essential to 100% of users.

In an ecommerce site it is being taken as read that it's ok to have cookies that relate to shopping bag without asking permission, as it is essential to the function of the site, even if a particular user doesnt actually add anything to their basket.

No, I think the php sessions donot fall under the Cookie Law. There is are a lot of differences between Cookie and Session.

For example, read here: http://php.about.com/od/learnphp/qt/session_cookie.htm

Also, if you read the law: http://www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1132-implementing-revised-electronic-communications-framework-consultation.pdf

It says,

"The provisions of the amended Article 5(3) refer to any attempt to store information, or gain access to stored information, in a user’s equipment" (pg 57)

So you see, it says "user's Equipment" and sessions are not stored there, they are stored at server http://ejvyas.blogspot.com/2010/02/where-is-stored-is-it-in-browser-or-at.html

If you're able to store a PHP session cookie on a user's computer to enable the 'essential' functionality of your website - what stops you then associating additional information with that visitor without their consent/knowledge..? (Apart from it being illegal.)

After all, all the information you store - except the cookie ID which is client side - is kept on the server side and the user can't do anything to view/modify this?

So in short, if the user 'allows' you to store a PHP session cookie on their computer there's nothing to stop you storing lots of other data about their visit? - IP, Browser, OS etc...

Having read GDPR and having knowledge of how sessions work in php I have to tell you this: 1. session_start() in php is called before headers because you cannot send additional headers (as php session does) after the page loads and headers have already finished. 2. Because this happens sessions in php is an essential thing of the language itself for the language to work properly so it is something you need. Not want. 3. A php session stores a cookie in the users machine with the session id to know the connection. Not the user. For example the server says "I have a request from someone. To not mix the requests from everyone keep an id of everyone". The person, ip, geolocation or any other data is not known at the time. To be clear of this session_start() not storing any other data but the session id is how the server side language php and the server itself works and it is not possible to have consent before you initialize it. 4. But: before storing any other data you have to inform. I believe you have to inform when you start doing it, how you do it, how long you do it and what you are storing. So no more tracking on guests. Third parties like google, facebook and other implementations on your page is another story. You should pretty much remove it for guests if third parties don't allready do.

Simple: starting a session before headers is mandatory for php. Storing data needs consent so when the user logs in, registers or any other interaction inform the user and store a consent in the database (for you) and in the cookie itself (for the user to know).