Kirby without cookies for page visitors?

Is it possible to operate Kirby in such a way that no cookies are set for page visitors? I want to run my installation in such a way that the cookie function is only used for the panel. I am very concerned that with the entry into force of the new EU regulation, a cookie operation with kirby could become a problem.


Kirby shouldn’t be setting any cookies if no session is started. And that only happens in the Panel by default.

Also, required cookies (meaning: cookies used for sessions and login purposes) are not subject of the EU regulation, only tracking cookies (I’m not a lawyer and this is no legal advice, but might be a good starting point).

I’m not a lawyer either. But kirby sets a cookie already on the first page. I ask myself: Why?

I can’t reproduce this. Are you using a fresh StarterKit without any plugins? Have you made sure to remove Panel cookies before loading the start page? What Kirby version are you using?


Are you using a multi-language website with Kirby?

No, I dont have a multi language setup as showing here:

The only locale related options are

c::set('date.handler', 'strftime');
setlocale(LC_ALL, 'de_DE');

Toolkit Version: 2.4.1
Kirby Version: 2.4.1
Panel Version: 2.4.1

If I login at the panel, kirby adds another cookie.

I use the following plugins:

Only webmentions and feed works already on the start page.

I just downloaded a 2.4.1 Starterkit and yes, it starts a session. I thought that issue had been removed earlier, at least accordion to GitHub. Any chance to update to a newer version?

Made an update now to version 2.5.9 on a test system. Overwritten the old folders “kirby” and “panel” with the new ones. Deleted all cookies via “Developer Tools” of Firefox.

No changes. The system sets still a cookie called “kirby_session”. Same behaviour on icognito mode of Firefox.

Could you please try again with a fresh starterkit of 2.5.9 without any modifications? Because the Kirby website (which runs on Kirby 2.5.9 at the moment) as well as other sites I have tested don’t have this issue.

Quick Feedback: I made a new setup under The fresh system does not set cookies. Later on, I will install my plugins step by step and configure the necessary localization in config.php. Stay tuned. :wink:

The setting of cookies seems to be caused by a file in the old (kirby 2.4.1) folders “content”, “snippets” or “templates”. Since I didn’t delete them during yesterday’s update, the new “panel” and “site” folders (kirby 2.5.9) couldn’t take effect either.

Apparently they call a function that sets cookies. This must be one of the core functions of kirby, because the snippets and templates adhere closely to the documentation at

However. I will now set up my site again and observe exactly where the cookies creep in. I then report back here in the forum, either with a find or the message that everything works like magic without cookies.



First of all, I have to apologize. The reason for my problem was myself. (Off topic: Seems to be the story of my life.) I have added code to my header snippet that provides logged in users some additional informations.

<?php if($user = $site->user()): ?>
<!-- show some yadda yadda -->
<?php endif ?>

The unexpected cookies crept in with “$site->user ()”, a function that returns “the currently logged in $user object” ( This was finally the only, but for me very inconspicuous deviation from the standard code.

This also explains why an update to the new version did not change anything. The header file was simply never touched.

Thanks to the staff for your patience!


No issue at all, thanks for getting back!


I have the same problem. I use a fresh Kirby Starterkit (Kirby 2.5.10) and use a theme from third. Because of I don*t istalled a plugin, it must be this theme. How can I find the problem?



Things to check:

  • does the site use language detect in the config? c::set('language.detect', true);
  • are there any routes/templates/snippets that check for $site->user()?
1 Like

I delete this, but it’s not enough.

I looked inside all file named route*. Nothing. I lokked inside all used templates. I can*t find $site->user() with STRG + F there, too. The same to the snippets.




What about plugins? Wasn’t there some authentication stuff?

1 Like

You are so great. :slight_smile: I think to much like in worpress (there is a plugin menu in the backend). I rename /kirby/site/plugins to /kirby/site/_plugins and there is only the kirby_session_auth Cookie when I vist the site.

Thank you.

I think, i don’t use /auth if I am the only author, or? I son’t use tagcloudAnd third, there is /plugins/uploads/flow-php-server - I will wait, if it makes trouble zu deactivating it. :wink:

If there is an auth plugin, that is probably meant to limit access. to certain internal pages on the frontend. If you don’t need it, you can disable it. The upload thingy is probably something that allows uploads on the frontend. As long as you don’t use any controllers, templates, snippets that make use of any of this, it shouldn’t be a problem to remove that stuff.

1 Like