Right now, preventing a cookie from being set, requires some hacking of
the core, since at least a session is always started (hardcoded) from
the session class. Would the approach taken in the Cookie class
enhancement [1] by Matt Lewis also be the way to go for the Session class?
As I understand, thanks to this enhancement it is now possible to
subclass the Cookie class and prevent a cookie from being set until
permission has been given. I need this functionality for a session
cookie as well, so I'd then try to implement the same get_inst()
functionality on that class. But there's been some discussion if instead
the Injector class shouldn't be used for this kind of enhancements. As
far as I can tell though, that would require modifications of any code
now using the session class throughout the core, right?
(The new cookie law in the Netherlands doesn't allow a website to set
any cookies (session/non-session) without first getting approval. This
is a bit stricter than UK, where I think you just have to inform that a
cookie has been set.)
[1]
https://github.com/silverstripe/sapphire/commit/ebb2458f22f44e740f93fc99c49240cb72e9c6e6