Comments on some cookies
The PHPSESSID is only used inside a session and is deleted and therefore allowed as per GDPR.
The __cfduid cookie is set by our Content Delivery Network (CloudFlare) and is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis. For example, if a certain laptop is used in a local area network where there are laptops infected with viruses, but the specific person’s laptop is trusted (e.g. because they’ve completed a challenge (within your Challenge Passage period), the cookie allows CloudFlare to identify that client and not challenge them again. It does not correspond to any user ID and does store any personally identifiable information.
Because Cloudflare uses this cookie to identify both HTTP and HTTPS requests from known clients, we do not set the “secure” flag on it. This is not a risk, however: as mentioned above the cookie does not contain sensitive data.
It is not possible to block the Cloudflare cookie at the moment. A Content Delivery Network ensures good performance of websites across the globe. We have been in touch with CloudFlare and they say that they consider this cookie to be allowed as per the GDPR which states in that some cookies are exempt from this requirement. Consent is not required if the cookie is:
- used for the sole purpose of carrying out the transmission of a communication, and
- strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.