List of cookies used by Discourse


(Sam Saffron) #1
Name Essential Expires Description
email Y Session Used during account creation
destination_url Y Session Used during login to redirect to the requested page
sso_destination_url Y Session Used during SSO login to redirect to the requested page
fsl Y Session Full screen login client setting
theme_key Y Forever Client theme personalization. Only used when “Make this my default theme on all my devices” unselected.
cn Y Forever Client clear notifications. I’m counting this as user input instead of personalization because it doesn’t make sense to ‘undo’ or change cleared notifications.
_bypass_cache Y Session Used with ‘fsl’ for full screen login
_t Y 1440 hours User authentication token cookie. SiteSetting.maximum_session_age.hours.from_now
_forum_session Y Session Session cookie
dosp Y next page view Temoporary cookie that informs client denial of service protection is in place.
__profilin N Session Developer only, used by rack-mini-profiler to bypass work
_ga N 2 years Google Analytics cookie. ONLY set if configured to use GA
_gat N 2 years Google Analytics cookie. ONLY set if configured to use GA
_gid N 24 hours Google Analytics cookie. ONLY set if configured to use GA

Non-essential cookies are used for analytics, personalized content and ads. These cookies shouldn’t be written or read on first page load for citizens of the EU.

Cookie compliance under GDPR
(Kane York) #2

There’s also a couple localStorage keys, but those have a much better “clear data” story, don’t transit the network unless explicitly sent, and are easier for users to audit usage of.

(Allen) #4

Thanks for your list of cookies. Under GDPR, it appears to be best practice to list all cookies used in the privacy statement, along with a brief explanation of their function. Your list is invaluable for this.

I am seeing a session cookie called rack.session in my setup, possibly related to this:

Perhaps you can add it to your list.

(Arnel ) #5

Here is an example of handling cookies:

Should we make it something similar for discourse and with including any third-party cookies with explanation that is integrated into discourse, like Google Analytics cookies part etc… to comply to GDPR law.

GDPR countdown and compliance

Thanks for the list. It would be useful to have definitive list of cookies set by Discourse so we can include these within our GDPR privacy policies and can refer back to the list when updating our policy incase any new cookies are added in future.

(Sam Saffron) #7

Fine, marking this official and taking ownership, if anyone finds any inconsistencies here let me know.

I reviewed the list and it looks fine.

@Karl_Romanowski thanks for putting this together, apologies for stealing the topic from you.

(Sam Saffron) #8

I saw this temporarily on meta. trying to determine where it is coming from, it is an unencrypted session cookie rack sets, but we should not really require it.