Web without cookies


I have seen that Grav installs 3 essential cookies:


Is there any way to prevent these cookies? I have the whim to make a website without cookies (paranoia of a developer… ;).

I understand they’re necessary for the admin plugin, and I know exists a plugin to create static sites (which I haven’t tried yet) but… Is there any native configuration in Grav to do it?

Thank you very much!

@sdesergi, On technical forums it is often appreciated when the OP shows what has been undertaken to solve the issue before posting the question…

You could think of:

  • showing you’ve searched Discourse,
    • which suggestions have been tried, but did not solve the issue
  • showing what else has been tried so far and with what results?

Thanks for the reply, @pamtbaau

Well, good critique :slight_smile:
The search you point to I did. The configuration that @arank points to in this thread (“system session.enabled: true” and “system session.initialize: false”) doesn’t work for me.


The thread is 4 years old and the Grav version is 1.4, so I gather a lot of things have changed. I don’t know how to implement the solution proposed by @chris_jung. Can the admin plugin be used from a subdomain? I haven’t seen anything in the documentation or the forum.

The next matching thread is unanswered.

I have no in-depth knowledge of Grav, I am a newcomer (and very happy to have found this CMS). Maybe I should have started this thread in the support forum? If so, I’ll change it in a moment…

Any clue that can help me or a thread I couldn’t find?
Thank you very much

@sdesergi, Yes, I know, I’m nagging…

Variables system session.enabled: true and system session.initialize: false work fine for disabling cookies for Grav itself.

Apart from not using Admin, I’m not aware of any way to disable cookies for Admin.

Since HTTP is stateless, some form of passing at least some sort of an “identifier” of a logged-in user between client and server would be required for Admin. I’m not aware of an option to switch the client/server communication between using a cookie, GET, or POST.

Even if it would be possible, with respect to any possible privacy breach, what difference would it make if cookies, GET or POST are being used to keep track of user data?

Also, since Grav is open source, you can check for yourself what data is being used by looking at the code.

And you could of course use VPN when using Admin.

But arguing with someone being paranoid doesn’t really work does it? :wink:

1 Like

I was fighting myself silly. I didn’t delete the old cookies correctly… :sweat_smile: You’re right @pamtbaau, variables works fine. Cookies are only set on devices when you use the admin plugin and log in.

Thanks for your patience! :slightly_smiling_face:
(My paranoia is now rampant…)