There are some core behaviours to address also. If session cookies are OK, the users should still be able to register with a site and log in, however if they have rejected the use of other cookies, then the "remember me" functionality shouldn't be allowed, nor tracking the user as a past member.
The first issue can be overcome by subclassing the the MemberLoginForm, checking your current situation regarding cookie permissions and then removing the checkbox to "remember me" from the field list before the form is rendered. (edit: alternatively come up with your own login form)
For the past member cookie, however, that is set in the Controller init method. You need to call parent::init() in our own controller's init method otherwise Silverstripe issues an error, therefore so far the only way I can see to avoid that cookie is a little bit of direct editing of the Controller class. The code that would normally set the cookie is just wrapped in a cookie preference check, which I have set in a protected member of the child controller class, but also in a session variable so it can be accessed elsewhere.
Regarding requesting permission, I have created a form that will appear on any page, after about 1 second, if the user has not yet set a preference. The user can choose to dismiss the form (sliding to the top of the screen where it can be recalled), but it will keep appearing until a preference has been set. Once the preference has been set, that value is then, oddly, saved as a cookie. Saving the user's cookie preferences in a cookie is also apparently allowed, whether or not their preference is to allow or deny cookies.
Within my main page controller init, I check for the existence of the preference cookie, if I find it then it is used to set the session preference. If there is no preference, then the request form is added to the template. That check is carried out before calling the parent init method.
e.g.
public function init(){
$this->checkCookiePreference();
parent::init();
/*
* Any other init code here...
*/
}
The cookie preference can then be checked in a template call to see whether analytics code should be added etc.
btw enjoyed the video. As the video points out, the request form will become annoying, but what can you do?
Cheers,
Jason