No, because they "sessions" are on the server ..not on the visitors machine.."cookies" are on the visitors machine..

Yes but most sessions - specifically, PHP sessions - maintain the connection to the user's computer via the PHPSESSID cookie anyway, unless your server and scripts are configured to default to query strings if a cookie can't be set. For many sites, no cookies - no PHP session control.

I don't see a problem with complete disclosure, mentioning that session data is automatically deleted after 25 minutes of activity (I think that's the default, for PHP.)

I don't see a problem with complete disclosure

I'd agree , except by now most "average" people hear read "cookies" ..and get scared or suspicious ..or both ..they tend ( because of abuse by some sites and search engines, and some very bad explanations and scare reporting by so called tech reporters in MSM ) to equate cookies with virus IME.

My advice would be if you are going to go for "complete disclosure", mention sessions if you use them ..but telling them that you may use cookies to set them, will just scare them twice as much...

I know its a fudge ..but by now people ( including lawmakers ) tend to think "cookies" can steal souls.

Thanks for the feedback guys.

This cookie policy is driving me up the wall.

What a load of rubbish! It's frustrating that we need to activly prompt the user to accept cookies.

In my opinion that just creates a bad user experience.

Again, thanks guys!

Well, the way to handle that is to accept the responsibility for making it work **with or without** cookies (or Javascript.) See the previous for how you do that - PHP has this functionality inherent in it's framework. In other languages the functionality is the same - you try to set a cookie, if you can't, you carry a session ID via query strings and hidden post field values. Along with this is a constant notification to the user - "please note your usage of this site will be enhanced if you accept cookies. They are really low cal and delicious - we promise!"

Haha, the website will work without cookies. Our cookies remember the users language preference.

Without cookies, on each visit, they get the countries native language. And if they're on business, which is likely with us being B2B, then they may be a Brit in Germany, for example.

But yes - sound advice - thank you.

Our cookies remember the users language preference.

Huh? The site may be remembering the user agent by IP?

Try clearing all cookies for yourdmainname.com in your browser. Disable cookies, then create a new account. A "workaround" I use for this is to enter the site in a browser I've never used on the site before - "clean entry." :-) This will tell you how well it works without cookies. Same for JS.

Nooo no, we pin them down to a geological location with their IP. We then save their native language as their preference in a cookie. If they change their language, it's remembered with said cookie...