What Cookies Does a Drupal Site Set?
Every Drupal installation sets cookies from the moment a visitor logs in or interacts with a form. The core session cookie - named SESS followed by a hash of the domain - identifies authenticated users and persists form data across page loads. Drupal also sets a Drupal.visitor cookie to store basic visitor preferences.
Those are just the built-in cookies. Most Drupal sites run contributed modules and third-party integrations that add their own tracking. Google Analytics drops _ga and _ga_* cookies. The Meta Pixel sets _fbp. Embedded YouTube videos, live chat widgets, and advertising tags each bring their own cookie payloads.
The distinction matters because session cookies that are strictly necessary for the site to function receive different legal treatment than analytics cookies or marketing cookies.
The Legal Framework: GDPR, ePrivacy, and Drupal
Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device - unless the cookie is strictly necessary to provide a service the user has explicitly requested. The GDPR then governs how that consent must be collected: freely given, specific, informed, and unambiguous.
For Drupal site owners, this means the core session cookie used for authenticated sessions typically qualifies as strictly necessary. But _ga, _fbp, _gid, and similar tracking cookies do not. These must be blocked until the visitor gives explicit consent.
Enforcement has intensified. CNIL issued over EUR 100 million in cookie-related fines between 2022 and 2024. The Swedish DPA (IMY) formally warned several organisations in 2025 for using dark patterns in cookie banners - making the accept button prominent while hiding the reject option.
Legitimate interest cannot justify analytics or marketing cookies under either the GDPR or the ePrivacy Directive. If your Drupal site serves visitors in the EU, UK, or other jurisdictions with similar rules, you need prior opt-in consent for non-essential cookies.
Common Cookies on Drupal Sites
Before configuring consent, audit what your site actually sets. The table below covers cookies found on a typical Drupal installation with common contributed modules.
| Cookie Name | Set By | Category | Consent Required? |
|---|---|---|---|
SESS[hash] | Drupal core | Strictly necessary | No |
Drupal.visitor | Drupal core | Functional | Depends on use |
_ga, _ga_* | Google Analytics | Analytics | Yes |
_gid | Google Analytics | Analytics | Yes |
_fbp | Meta Pixel | Marketing | Yes |
_gcl_au | Google Ads | Marketing | Yes |
pll_language | Language switcher | Functional | No (if essential) |
PHPSESSID | PHP (if misconfigured) | Strictly necessary | No |
A cookie scanner can detect exactly which cookies your Drupal site sets, including those from third-party scripts loaded by contributed modules.
Drupal's Built-in Cookie Consent Modules
Drupal's module ecosystem offers several options for cookie consent. The most established is EU Cookie Compliance (GDPR Compliance), which has been available since Drupal 7 and supports Drupal 10. It displays a configurable banner, supports opt-in and opt-out consent models, and can block categories of cookies until consent is granted.
The module stores consent records including user ID, IP address, timestamp, and the revision ID of your privacy policy node. It also provides a floating tab so visitors can reopen the banner and withdraw consent - a GDPR requirement under Article 7(3).
A newer alternative is the Klaro! module, chosen as the recommended consent management tool for Drupal CMS. Klaro integrates a lightweight JavaScript library and offers granular control over individual services and purposes rather than broad categories.
Both modules have a significant limitation: they can only block cookies set by JavaScript on your domain. Third-party scripts loaded from external domains may still set cookies before consent is collected, unless you pair the module with server-side script blocking.
Limitations of Module-Only Approaches
Drupal consent modules rely on JavaScript to intercept cookie-setting scripts. If a third-party tag fires before the consent module initialises - common with aggressive ad scripts - cookies land on the visitor's device without consent. Modules also cannot detect new cookies added by updated third-party services unless you manually reconfigure them.
For sites with complex tracking stacks, a dedicated CMP that handles conditional script loading, automated cookie scanning, and Google Consent Mode v2 integration offers more reliable compliance.
Adding a Cookie Banner via Drupal's Theme Layer
If you prefer not to use a contributed module, Drupal's theme system provides a direct integration path. You can add a CMP script to your theme's html.html.twig template, placing it in the <head> section so it loads before any other scripts on the page.
The approach is straightforward:
Open your active theme's
html.html.twigfile (or create one by copying it from the base theme).Paste the CMP script tag immediately after the opening
<head>tag, before Drupal's CSS and JavaScript aggregation outputs.Clear Drupal's cache (
drush cror via the admin UI) so the template change takes effect.
This method works with any external CMP, including Kukie.io. The Drupal installation guide in the Help Centre walks through each step with code examples.
Using Drupal's Block System for Script Injection
Drupal's block system offers another route. You can create a custom block with the "Full HTML" text format, paste your CMP script into it, and assign it to the "Page top" or "Header" region. This avoids editing theme template files directly - useful if you lack access to the file system or prefer managing configuration through the admin interface.
The block approach has a trade-off. Blocks render within the page body, meaning the CMP script loads later in the document than a <head> placement. For consent management, loading order matters. A script that fires in the body may not intercept tracking tags that load in the head.
For reliable script blocking, head placement via the theme template or a module like hook_page_attachments() in a custom module is the safer option.
Configuring Cookie Categories in Drupal
Whichever method you use, your cookie banner must present clear cookie categories so visitors can make informed choices. A typical Drupal site needs at least four categories.
Strictly necessary - Drupal session cookies, CSRF tokens, load balancer cookies. These cannot be rejected.
Functional - Language preferences (
pll_language), accessibility settings, content personalisation that does not involve cross-site tracking.Analytics -
_ga,_gid, Hotjar, Matomo, or any tool that measures site usage.Marketing -
_fbp,_gcl_au, LinkedIn Insight Tag, TikTok Pixel, and any retargeting or advertising cookies.
Each non-essential category must default to off. Pre-ticked checkboxes do not constitute valid consent under GDPR - the EDPB confirmed this in their guidelines on consent.
Script Blocking and Google Consent Mode
Blocking scripts until consent is granted is the technical backbone of cookie compliance. On Drupal, this typically means changing the type attribute of tracking script tags from text/javascript to text/plain and adding a data attribute that your CMP reads. When the visitor consents to a specific category, the CMP rewrites the attribute and executes the script.
If you use Google Analytics 4 or Google Ads, Google Consent Mode v2 lets you send cookieless pings while consent is pending, then upgrade to full measurement once consent is granted. This preserves conversion modelling without violating consent rules. Kukie.io supports Consent Mode v2 out of the box - the integration guide in the Help Centre covers the setup.
Geo-Detection: Showing the Right Banner to the Right Visitor
Not every jurisdiction requires the same consent model. The GDPR demands opt-in consent. The CCPA requires an opt-out mechanism. Some countries have no cookie-specific rules at all.
A CMP with geo-detection can show different banner configurations based on visitor location. European visitors see a full opt-in banner with granular category controls. Californian visitors see an opt-out notice. Visitors from unregulated jurisdictions might see a minimal informational banner or none at all.
Drupal's contributed modules generally lack built-in geo-detection. The EU Cookie Compliance module can restrict the banner to EU visitors, but it does not adapt the consent model by region. If your site has a global audience, an external CMP with region-based rules handles this more effectively. The same applies to other open-source CMS platforms like Joomla and WordPress.
Testing Your Drupal Cookie Banner
After installation, verify that your banner actually blocks non-essential cookies before consent. Open Chrome DevTools, go to the Application tab, and clear all cookies. Reload the page. Before interacting with the banner, only strictly necessary cookies should be present.
Accept all categories, then check again. Analytics and marketing cookies should now appear. Withdraw consent using the banner's reopening mechanism, reload, and confirm those cookies are cleared or no longer being set.
Run a banner verification test periodically. Third-party scripts update frequently, and a tag that respected your consent flow last month may behave differently after an update.
Frequently Asked Questions
Does Drupal set cookies without any modules installed?
Yes. Drupal core sets a session cookie (SESS[hash]) for authenticated users and when form data needs to persist. For anonymous visitors who do not interact with forms, Drupal typically does not set cookies unless contributed modules add them.
Is the Drupal session cookie exempt from GDPR consent?
The session cookie used for login and form handling is generally classified as strictly necessary under Article 5(3) of the ePrivacy Directive, meaning it does not require consent. It must still be disclosed in your cookie policy.
Can I use the EU Cookie Compliance module on Drupal 10 and 11?
The EU Cookie Compliance module supports Drupal 10. Drupal 11 compatibility depends on the module's release cycle - check the module page on drupal.org for the latest supported versions before installing.
How do I block Google Analytics cookies before consent on Drupal?
Change the GA script tag type from text/javascript to text/plain and add a data attribute your CMP recognises. The CMP will convert it back and fire the script only after the visitor consents to the analytics category.
Do I need a cookie banner if my Drupal site only has a contact form?
If the only cookie is the strictly necessary session cookie for the form, you may not need a consent banner for that cookie specifically. But if your site loads any analytics, fonts from Google, embedded videos, or social sharing buttons, those likely set non-essential cookies that do require consent.
What is the best way to add a CMP script to Drupal?
Placing the script in your theme's html.html.twig template inside the <head> tag gives the most reliable loading order. This ensures the CMP initialises before other scripts and can block non-essential cookies from the start.
Take Control of Your Cookie Compliance
If you are not sure which cookies your Drupal site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
