Does your website use third-party services? Get GDPR compliant in minutes.

DedeCMS

What does DedeCMS do?

Open source PHP based content management system from the Chinese vendor DesDev. Self hosted, with PHPSESSID and admin login cookies, no native analytics.

What DedeCMS is

DedeCMS is an open source PHP based content management system created in China by the company DesDev. It powers a large share of Chinese small and medium business websites and is also used worldwide for static content sites, online magazines and corporate brochure sites. The CMS ships with a templating engine, a comment system, basic SEO features and an admin backend protected by a username and password.

What data and cookies DedeCMS collects

DedeCMS sets a PHPSESSID cookie when a visitor logs in, posts a comment or starts an admin session. It writes a dedicated admin authentication cookie called DedeUserID and a related DedeLoginTime cookie once an editor signs into the backend. The application also logs IP addresses, user agents and timestamps in the MySQL database for security and audit purposes, plus the textual content of comments and user posts.

GDPR and ePrivacy implications

The PHPSESSID and DedeUserID cookies are strictly necessary because they support an action the user actively requested, namely logging in or posting a comment. They are therefore exempt from the consent requirement of Article 5(3) of the ePrivacy Directive. The processing of personal data inside the CMS relies on the legitimate interest of the operator (Article 6(1)(f) GDPR) or on the performance of a contract when the website is part of a customer account.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent and user controls

No banner is required for the strictly necessary cookies, but a consent banner remains mandatory as soon as the operator activates third party analytics, advertising tags or social plugins on the front end. The privacy policy must mention DedeCMS, the role of the operator as data controller, the categories of data stored and the rights of access, rectification and erasure provided by Articles 15 to 17 GDPR.

Data transfers and hosting

DedeCMS is fully self hosted. There is no built in transfer to a vendor. The location of personal data depends on where the website operator runs the PHP application. Hosting in mainland China by a Chinese operator falls under the Personal Information Protection Law, while hosting outside China requires a CAC standard contract or a security assessment for cross border transfers. EEA hosted instances must comply with the GDPR and may need standard contractual clauses for any export to third countries.

Practical compliance steps

Keep DedeCMS up to date because the codebase has a long history of vulnerabilities, restrict the admin backend to trusted IP addresses or VPN access, force HTTPS for the login pages, set short session timeouts, configure log retention and back up the database. Document the processing in the Article 30 records, name DedeCMS in the privacy policy and add a dedicated entry for any third party tracker enabled on top of the CMS.

GDPR consent category

Other

Websites using DedeCMS must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Article 6(1)(f) GDPR) and Article 5(3) ePrivacy Directive exemption for the strictly necessary session and authentication cookies. Consent (Article 6(1)(a) GDPR) for any optional analytics or comment notification feature enabled by the operator.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, Chinese Personal Information Protection Law (PIPL), Cybersecurity Law of the PRC, Data Security Law of the PRC, national EU rules where the website is targeted, EU Digital Services Act for hosted user content.

DPIA considerations

A DPIA is generally not required for a public DedeCMS website, but becomes recommended when the site collects sensitive data (health, opinions, biometrics), targets EEA users from a Chinese host or integrates third party trackers. Document the location of the database, the retention of admin logs and the cross border transfer mechanism.

Sample consent text

We use DedeCMS to publish the content of this website. This sets a strictly necessary PHPSESSID cookie when you log in or post a comment, and an admin authentication cookie for editorial staff. These cookies do not require your consent. Any optional analytics is listed in the cookie banner.

Technical details

Tracking methodSelf hosted PHP application with HTTP session and authentication cookies

Server locationSelf hosted (server location depends on the operator, often in China but also worldwide)

Third-party domains contacted

dedecms.comdesdev.cn

Cookies placed

Name	Type	Duration	Purpose
PHPSESSID	http_session	Session	Identifies the visitor PHP session on the DedeCMS backend for login and comment posting.
DedeUserID	http_persistent	7 days	Stores the admin or member identifier so editors stay logged in to the DedeCMS backend.
DedeLoginTime	http_persistent	7 days	Records the last login timestamp for the admin session, used for security and session expiry checks.
DedeUserID__ckMd5	http_persistent	7 days	Hashed verification value paired with DedeUserID to protect the admin authentication cookie.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Which cookies does DedeCMS set?

DedeCMS sets a PHPSESSID session cookie when a visitor logs in or posts a comment, plus DedeUserID and DedeLoginTime cookies in the admin backend. These cookies are strictly necessary. The CMS does not include any native analytics or advertising cookies.

Is user consent required to load DedeCMS?

No. The cookies that DedeCMS writes are strictly necessary for the actions the user requests, such as logging in or submitting a comment. Article 5(3) of the ePrivacy Directive exempts them from the consent requirement. Consent becomes required only if the operator adds third party analytics or advertising tags.

What is the legal basis for processing?

Legitimate interest under Article 6(1)(f) GDPR for the session and authentication cookies, performance of a contract under Article 6(1)(b) GDPR for member accounts, consent under Article 6(1)(a) GDPR for any optional analytics or advertising tracker activated on top of the CMS.

Are data transferred to the United States?

DedeCMS itself does not transfer data anywhere. The location of personal data depends on where the operator hosts the PHP application. If hosting takes place in mainland China, the PIPL applies and a CAC standard contract is required for EEA transfers. US hosting requires standard contractual clauses for EEA users.

Do I need a DPIA for DedeCMS?

A DPIA is generally not required for a static public site, but is recommended when DedeCMS hosts sensitive content (health, political opinions), processes a large volume of user generated content, targets EEA users from a Chinese host or integrates third party trackers.

How do I implement DedeCMS in a compliant way?

Keep the CMS up to date, restrict the admin backend to trusted IP addresses or VPN, force HTTPS, set short session timeouts, configure log retention, document the processing in the Article 30 records, sign a data processing agreement with the hoster and add a dedicated entry in the privacy policy for any third party tracker.

Are there alternatives to DedeCMS?

Open source PHP CMS alternatives include WordPress, Drupal, Joomla, Typo3 and Grav. None of these alternatives changes the obligation to address the GDPR or local equivalents such as the Chinese PIPL when applicable.

How do I update the cookie policy?

Add a dedicated entry for DedeCMS that lists the PHPSESSID, DedeUserID and DedeLoginTime cookies as strictly necessary, mention the hosting location, explain the role of the operator as data controller and list any third party tracker enabled on top of the CMS along with its purpose and retention.

Get compliant — Try FlowConsent free

Free plan · 10-min setup