List of cookies used by Discourse

faq-material
privacy

(Karl Romanowski) #1

I couldn’t find a list of cookies used by Discourse so after a quick search in GitHub I’ve come up with:

Name Essential Expires Description
email Y Session Used during account creation
destination_url Y Session Used during login to redirect to the requested page
sso_destination_url Y Session Used during SSO login to redirect to the requested page
fsl Y Session Full screen login client setting
theme_key Y Forever Client theme personalization. Only used when “Make this my default theme on all my devices” unselected.
cn Y Forever Client clear notifications. I’m counting this as user input instead of personalization because it doesn’t make sense to ‘undo’ or change cleared notifications.
_bypass_cache Y Session Used with ‘fsl’ for full screen login
_t Y 24 hours User authentication token cookie. SiteSetting.maximum_session_age.hours.from_now
_forum_session Y Session Session cookie
dosp Y next page view Temoporary cookie that informs client denial of service protection is in place.
_ga N 2 years Google Analytics cookie. ONLY set if configured to use GA
_gid N 24 hours Google Analytics cookie. ONLY set if configured to use GA

Non-essential cookies are used for analytics, personalized content and ads. These cookies shouldn’t be written or read on first page load for citizens of the EU.

Does the table above look correct, and complete?


Cookie compliance under GDPR
(Kane York) #2

There’s also a couple localStorage keys, but those have a much better “clear data” story, don’t transit the network unless explicitly sent, and are easier for users to audit usage of.


(Jeff Atwood) #3

It would be good for @sam to review this and see what he thinks.


(Allen) #4

Thanks for your list of cookies. Under GDPR, it appears to be best practice to list all cookies used in the privacy statement, along with a brief explanation of their function. Your list is invaluable for this.

I am seeing a session cookie called rack.session in my setup, possibly related to this:


Perhaps you can add it to your list.


(Arnel ) #5

Here is an example of handling cookies:

Volvo Trucks

Should we make it something similar for discourse and with including any third-party cookies with explanation that is integrated into discourse, like Google Analytics cookies part etc… to comply to GDPR law.


GDPR countdown and compliance