PHP - Sessions - Cookies - NEW EU LAW


I found out today that new EU Laws give webmasters 1 year to comply with new regulations whereby Wes Sites must ask users if they are willing/consent to use the web site which has cookies storing information about them.

BBC News - Websites told to ensure cookies comply with UK law

Websites get a year to comply with new EU cookie laws | Media news |

Quote: “Under the amendment websites in the UK need to obtain consent from visitors in order to store on and retrieve usage information from their computers such as cookies, which enable sites to remember users’ preferences.”

I have heard about ‘Sessions’ in PHP. I am hoping to use Sessions for the shopping basket system, which I believe stores what a user has chosen to add to their basket. So, this would mean I would not be using cookies.

Can someone confirm that it is possible to design a shopping web site with a basket system, using Sessions and without using any Cookies at all. The web site is under-construction, so I may aswell comply early, if I can, by not using Cookies.


As someone working for a company in legal services I can safely say that this new law is a complete farce. It was made by bureaucrats with no idea how the Internet works and I’d be shocked if even 10% of businesses operating within Europe or the UK adopted this within a year. I’d be even more shocked if they were able to effectively police it.

To be honest, even with our industry, I doubt we’re going to bother until the IOC say that we have to.

Over the past week or two they’ve clarified their stance, stating that they only want it to affect websites that deploy tracking pixels, so functionality that relies on cookies like shopping baskets will be absolutely fine.

For a (terrible) example of how to implement this, check the IOC website.

I heard on the news, in passing, that this was deferred for a year?

Here’s a great post by a local (to me ) developer.

Cookies Law: Ah the Irony!

That site won’t load for me at all - maybe because I don’t have their cookie or summots? :smiley:

So… how does the site recognize if someone has said ‘no’ to cookies? Wouldnt they need…to store… waaaait…

EDIT: Read the blog in question. <.< >.> GMTA?

Politics is the antithesis of programming. It is ruled by emotion, not reason. It’s practitioners master obfuscation, not clarity. It eschews logic at every opportunity to appeal to the ignorance of the masses, where programming requires the utmost precise logic possible to appeal to the ignorance of the machine.

You in short cannot ask for two more diametrically opposed career types. This should make it clear why laws regarding programming have so far been so comically bad or downright disastrous. This particular law is comically bad. Software patents however…

Very poetic!
Unfortunately, also very true.

I’ll be sure to quote that somewhere, pity it doesn’t fit into 140 characters! :slight_smile:

Agree 100%. And for some reason I hear Leonard Nimoy’s voice stating the top paragraph as a quote. Played Civ 4 too long, perhaps.

Heh. Maybe my aphorism writing practice has been paying off. One of my side projects is to make a new edition of Ambrose Bierce’s “The Devil’s Dictionary” for our generation. New entries for things which came into being since he wrote the original book - like this gem.

Computer n. A machine which flawlessly performs the instructions it is given, no matter how flawed those instructions may be.

I like that… a lot :slight_smile:

Going back to what I asked… I am looking into designing a basket system using PHP Sessions instead of Cookies.

So far, I have read that a Session is created when the user navigates the web site. Items that are added to the basket are remembered. The user can go back and forth between product pages and the basket page without losing items from the basket.

If the user navigates away from the web site (visits a competitor) and then comes back to my site, their basket will be empty. Likewise if they turn off their computer and go back to the web site to buy stuff they added to the basket it will be empty.

Am I correct? If I just use Sessions then I will just be catering for customers whom look and purchase in one visit to the web site?! Or is it more or less complicated than this. Have I overlooked anything? Do you avoid using cookies?! Do you avoid Sessions!!?

All comments welcome,


The trick is that most PHP servers are set by default to use Cookies to transmit their session identifier information - when a session is created, the site spawns a cookie on the person’s browser to identify the session.

The alternative, which is generally used only when a browser is refusing cookies, is for PHP to append the SID to every link created. While it works, this leads to ugly looking URL’s that potentially cause issues with copy/pasting.

It’s worth mentioning that the EU law pertains to cookies that gather information about the user - a session ID would not fall under that category.

When you refer to “ugly looking URL’'s” do you mean like amazon:

Snooper Shotsaver S280UK Golf GPS: Sports & Leisure

I want to avoid ugly URL’s. In fact, I am using a mod-rewrite to improve the friendliness of a PHP site’s URL’s. You seem to suggest I should use Sessions with Cookies. Is this your recommendation?


Try it yourself.

echo "<a href='index.php?".SID."'>A link</a>";

Note that if you’ve got cookies enabled, you will only see the SID the first time you load the page, when you hover over the link (because after that it gets handled by the cookie)

Sessions are a form of cookie. When working with this keep the following in mind - the whole cookie / session mechanism was grafted into the http protocol without being completely thought out. Of the sections of the standard it is the most troublesome.

Sessions must create a cookie that persists for as long as the browser is loaded in memory. That cookie holds the 32 character session hash that corresponds to the server side session file that actually holds the session data. That is, what you store in $_SESSION is never stored on the client, BUT the client does provide a session key to get to the information. This key can be spoofed during an attack allowing an attacker to arbitrarily access any session the server is currently working on. This is why sessions often track IP information and other client information for further validation - though even this can be defeated if the hacker knows what to do.

Cookies, as most understand them, are stored in a cookie file that persists between browser sessions. That is they’ll still be around if the browser is turned off and then on. Persistent log ins are done with these, as are marketing and tracking cookies.

The EU law wants to restrict tracking cookies, an admirable goal, but the politicians behind it painted with a wide brush as they are so used to doing. That’s the reason for my quote above which leads to conflicts between the two industries that are tied to their essential characters. Most politicians are lawyers, and lawyers obfuscate things out of habit - lawyer speak as it where - to try to get maximum benefit. Laws get written that have quite a degree of interpretation.

The problem with should be now apparent. As programmers we cannot leave things in an ambiguous state because we have to get an unintelligent machine to understand our statements. Even the most ambiguous code is no where near as bad as laws are because machines cannot interpret intent or spirit. They truly are limited to the letter, and to a degree most lawyers find humbling and frustrating.

I work in a software firm ran by a politician and lawyer. My theater and artistic communication helps me work around these problems on a personal basis, but its still an obstacle I have to manage daily. It is what it is.

My condolences.

At least I’m employed without having to worry.

I would highly recommend using sessions with cookies, not only because of url friendliness, but because it lessens the chances of session hijacking.


I have looked elsewhere about initiating cookies on peoples’ computers and it is slightly different to the Session code you suggested to add a cookie. You wrote “gets handled by the cookie” which I think means your code would cater for people with and without cookies. Whereas the code I have found only caters for people whom have cookies enabled. I want people with AND without cookies to be able to purchase online. How could I edit the code I have found, to use your code instead, which makes it possible for users with and without cookies to purchase. (if I understand correctly)

This is the code you suggested:

echo "<a href='index.php?".SID."'>A link</a>";

How is this code similar or different to:

setcookie("cartId", session_id(), time() + ((3600 * 24) * 30));
return session_id();

The coding I have found elsewhere is:

function GetCartId()
// This function will generate an encrypted string and
// will set it as a cookie using set_cookie. This will
// also be used as the cookieId field in the cart table

return $_COOKIE["cartId"];
// There is no cookie set. We will set the cookie
// and return the value of the users session ID

setcookie("cartId", session_id(), time() + ((3600 * 24) * 30));
return session_id();

As I understand it, if I use your coding suggestion and the user has cookies enable cookies handles the process…and if cookies are disabled then the Session kicks in instead. This sounds like a good approach to the basket - can you help with adjusting the code I have found to do this, please?

Look forward to your reply,


(Foreword: It has been a long, long time since i’ve done anything like this; cookies are generally accepted standard part of the internet now.)

Essentially; if the cookie cannot be set (they’ve blocked cookies from your site, or entirely), you’ll need to tell PHP to use the trans_sid on links (an ini setting). This is a… sub-optimal practice, however.