Does Multisite privacy have to use persistent cookies?

Hi, by default we have multi-site privacy network activated, however I recently discovered it uses persistent (albeit half an hour ) cookies.

With the EU cookie law, generally we try and avoid cookies on sites that don't need it (then there is no compliance issue )

Obviously we can not network activate MSP and just activate it as required.

But is there anyway that this can be coded to be cookieless.

I looked at the code and it baffled me, so I can't make any suggestions.

  • Patrick
    • Support Monkey

    Hey there @llocally

    I hope you're having a great day!

    That's a very good point. However, rewriting the plugin to use an alternative to cookies would require, well, rewriting the plugin. :slight_smile:

    That's not something easily resolved in the forums.

    I would think that an possible alternative could be some htaccess/permalink redirect trickery, but again, that would involve rewriting stuff.

    I will however notify the plugin developer of this, so he can investigate possible alternatives given the new laws in the EU.

    This may be something that should be considered for other products too. Hmm...

  • Fullworks
    • The Bug Hunter

    Its very hot here.

    Maybe not to drop the cookie unless at least one of the settings is set :slight_smile: , that might not require rewriting, because it drops a cookie regardless just by being enabled.

    Meanwhile I have network disabled and will enable as an when required.

  • S H Mohanjith
    • Developer

    IANAL, use of cookies in Multi Site Privacy falls under section (22) of directive 2002/58/EC which is excempt from obtaining consent.

    Cookies in Multi Site Privacy are set to check whether user has access to the content they are accessing. If the content doesn't have any privacy restrictions they have access hence the cookie is set, if they don't have access they are redirected to a page to provide authentication information and if they are correct cookie is set.

    See page 13 which uses are excempt.


  • Fullworks
    • The Bug Hunter

    @S H Mohanjith IANAL but good point.

    However, the cookie is only necessary IF one of the multi-site privacy setting is set, however the plugin drops a cookie solely if the plugin is network activated, therefore sites that do not have any MSP options set still get a cookie. In these circumstances the cookie is not necessary to ensure security => not required => not compliant.

    Your analysis does change my original request from making it cookie free, to only using cookies if a setting is set not simply that the plugin is network activated but not used in a particular site.

  • S H Mohanjith
    • Developer

    When the privacy plugin is activated all content becomes private. The cookie determines whether the user has access or not.

    The cookie can be used to restrict access to static content at web server level instead of php level.

    I believe you are referring to spo_{blog_id}_fa cookie. May a network option can make this cookie optional as not everybody might be restricting static content.

  • Fullworks
    • The Bug Hunter

    I'm not sure I follow you in terms of 'when the plugin is activated all content becomes private'.

    From As user perspective, I see three additional options in the blog settings>reading that are not activated unless ticked. So if none of these are ticked, from a user perspective, the plugin is not doing anything, thus from a user perspective if the plugin is doing nothing for the blog then what is the cookie for.

    Yes I was referring to spo_{blog_id}_fa which appears on sites taht have no multi-site privacy options set.

    As mentioned, I thought the work around would be to not network activate, but activate on individual blogs, but that is my lack of understanding that this plugin only works when network activated.

  • S H Mohanjith
    • Developer

    spo_{blog_id}_fa is intended to be used by the web server or wp-includes/ms-files.php (after modification) to determine whether the user has access to static content.

    It's used irrespective of whether privacy options are selected or not. If the cookie is missing content is not displayed.

    I will add an option to disable this behavior as not everyone blocks static content.


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.