Is a PHP Session acceptable with the new UK cookie law?
If you're able to store a PHP session cookie on a user's computer to enable the 'essential' functionality of your website - what stops you then associating additional information with that visitor without their consent/knowledge..? (Apart from it being illegal.)
After all, all the information you store - except the cookie ID which is client side - is kept on the server side and the user can't do anything to view/modify this?
So in short, if the user 'allows' you to store a PHP session cookie on their computer there's nothing to stop you storing lots of other data about their visit? - IP, Browser, OS etc...
No, I think the php sessions donot fall under the Cookie Law. There is are a lot of differences between Cookie and Session.
For example, read here: http://php.about.com/od/learnphp/qt/session_cookie.htm
Also, if you read the law: http://www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1132-implementing-revised-electronic-communications-framework-consultation.pdf
It says,
"The provisions of the amended Article 5(3) refer to any attempt to store information, or gain access to stored information, in a user’s equipment" (pg 57)
So you see, it says "user's Equipment" and sessions are not stored there, they are stored at server http://ejvyas.blogspot.com/2010/02/where-is-stored-is-it-in-browser-or-at.html
The simple answer is that you're probably going to be okay, the extent to which this law will even be enforced is massively up for debate anyway.
We will enforce the law proportionately. We’ll look at the risks if and when customers complain to us. If a websites’ cookie and privacy is a risk to many people, we may then take action.
There is a balance to be struck though, as not all cookies are equal, and our enforcement approach will bear this in mind.
For example, someone may complain about a cookie placed without their consent, but if it was just used to remember essential details rather than to gather information to be used for marketing purposes, then it may not be appropriate to act.
(Source: The ICO's Dave Evans on EU cookie law compliance)
From what I have heard, the ICO is going to be fairly liberal in the interpretation of the law, the most important thing to do is show that you are making changes to comply with the spirit of the law.
I think that as the form is essential to the site, you don't need to prove that it is essential to 100% of users.
In an ecommerce site it is being taken as read that it's ok to have cookies that relate to shopping bag without asking permission, as it is essential to the function of the site, even if a particular user doesnt actually add anything to their basket.