Official Policy Document

Cookie Policy &
Local Storage

This policy explains every cookie and browser storage item that M-Board places on your device, why each one exists, how long it lasts, and what control you have over it. It applies to all members and governing staff of Madhunandan Association using the M-Board platform.

Effective: March 9, 2026 Last reviewed: March 9, 2026 Current & in force Internal platform only
Quick Summary — what matters most
  • M-Board uses only the cookies it needs to function. No tracking, no advertising, no analytics cookies of any kind.
  • Session cookies are deleted automatically when you close your browser or sign out.
  • The remember-me cookie is optional — you choose whether to enable it at login.
  • Local storage is used for security (device verification), convenience (PWA install state), and temporarily saving unsubmitted form drafts (proposals, feedback, etc.) for up to 2 days so you can resume where you left off.
  • Form drafts are saved only while unsubmitted. Once you submit a form, the draft is deleted immediately. File selections are never saved.
  • You can delete any saved form draft at any time — directly from the form itself, or by clearing your browser storage.
  • No third-party cookies are set by M-Board. Font and icon libraries load client-side only and set no cookies.
  • You can clear all cookies and storage at any time through your browser settings with no loss of account data.
Section 01

What Are Cookies

Cookies are small text files that a website places on your device when you visit it. They are sent back to the server with each subsequent request, allowing the server to recognise your browser across page loads — which is how you stay logged in as you navigate between pages.

M-Board also uses browser local storage and session storage — similar mechanisms built into modern browsers that store data only on your device and are never automatically sent to the server. These are used for client-side security checks, PWA (app install) state, and temporarily preserving unsubmitted form drafts so you can return to them without losing your work.

M-Board is not a commercial platform. We have no interest in tracking your behaviour, profiling you, or selling your data. Every item stored on your device has a single, documented, operational purpose.
Section 02

Essential Cookies

These cookies are strictly necessary for the platform to function. Without them, you cannot log in, maintain a session, or use any authenticated feature. They cannot be disabled without breaking the platform entirely.

Cookie Name Type Purpose Duration Sent to Server
PHPSESSID Essential PHP session identifier. Ties your browser to your authenticated server-side session. Contains no personal data — just a random identifier. The session also carries internal flags used by the platform such as MFA state, device-check state, QR login expiry, and a QR-origin flag that prevents a QR-created session from approving another QR login (chain-session prevention) — none of these are transmitted as separate cookies; they live only inside the server-side session referenced by this cookie. Session (deleted on browser close or sign-out) Yes — every request
remember_token Essential Secure remember-me token. Set only if you tick "Remember me" at login and your device passes the device-trust check. The cookie is not issued immediately at login — it is deferred and only issued once the device verification step is completed successfully. If you skip device trust, no remember-me cookie is ever set regardless of the checkbox. Used to automatically restore your session on your next visit without re-entering your password. A SHA-256 hash is stored on the server — the plain token is never stored server-side. 30 days from last login (or until you sign out or revoke the device) Yes — on every page load (for auto-login check only)
Security note on remember_token: this cookie is marked HttpOnly and Secure — it cannot be read by JavaScript and is only transmitted over HTTPS. The cookie is only issued after device verification is completed — ticking "Remember me" at login stores the intent in your session, but the actual cookie is only set once device trust is confirmed (or skipped without saving). If you are on a shared device, do not tick "Remember me." You can revoke all active remember-me tokens from Profile → Device Management at any time.
Section 03

Functional Cookies

Functional cookies enable specific features of the platform beyond core authentication. M-Board currently sets no additional functional cookies beyond the essential ones listed above. This section will be updated if any are added in future.

No functional cookies are currently set. Features such as UI preferences and notification settings are stored server-side, tied to your account — not in cookies.
Section 04

Local Storage & Session Storage

Local storage and session storage are browser APIs that store data on your device only. Unlike cookies, this data is never automatically sent to the server — it is read and written exclusively by client-side JavaScript running in your browser.

Key Name Storage Type Purpose Duration Sent to Server
dv_token_<uid> localStorage Device verification token. A unique 256-bit hex token stored on your device when you choose "Remember this device" after login. Used by the device-guard system to verify that this device is still trusted on every subsequent visit. The matching record in the server's trusted_devices table expires after 90 days — after which the token is no longer recognised and you will be asked to verify the device again. If the token is revoked early by an administrator (e.g. you report a lost device), the guard detects the mismatch immediately and forces a sign-out. Contains no personal data — just a random hex token. 90 days from the date the device was registered (or until you sign out and clear storage, or the device is revoked earlier) No — sent via explicit JavaScript fetch only during device-guard checks (every 5 seconds while active)
mboard_pwa_authed localStorage PWA returning-user flag. Set to 1 the first time you install M-Board as a PWA app and sign in successfully. Used to direct returning PWA launches straight to the login selector rather than the public landing page. Never cleared — once set it persists permanently for that install. Permanent (until browser storage is cleared) No
pwa_install_dismissed localStorage PWA install banner dismissal timestamp. Set when you dismiss the "Install M-Board App" banner. Prevents the banner from reappearing on every visit after you have explicitly dismissed it. Persistent until browser storage is cleared No
mboard_camera_nudge_shown localStorage Camera permission nudge flag. Set to 1 after the one-time camera permission nudge banner is shown in the PWA. Ensures the nudge is displayed only once and not on every subsequent page load. Persistent until browser storage is cleared No
mboard_draft_<formType>_<uid> localStorage Form draft auto-save. Stores the text you have typed into unsubmitted forms (e.g. proposals, feedback, applications) so you can leave the page and return without losing your work. Each draft is keyed by form type and your user ID. File selections are never saved. Once you submit the form, the corresponding draft key is deleted immediately. Drafts not submitted within 2 days are automatically expired and removed on your next visit. Up to 2 days from last edit, or until the form is submitted — whichever comes first No — your draft stays on your device only; it is sent to the server only when you click Submit
dv_chk_<uid> sessionStorage Device-guard check throttle timestamp. Records the timestamp of the last device-guard verification. The guard runs a check every 5 seconds while you are active on any protected page; this key prevents redundant back-to-back server calls within that interval. Also bypassed immediately on the first page load after a cookie auto-login so the device is re-verified without delay. Cleared automatically when the browser tab or window is closed. Session (cleared on tab/browser close) No
All local storage keys are prefixed or suffixed with your user ID (<uid>) where applicable, so that multiple users on the same browser do not share or overwrite each other's security tokens.
QR login sessions: when you sign in via QR code on another device, the session expiry time, duration, and origin flag are stored as server-side PHP session variables (inside PHPSESSID) — specifically qr_login, qr_login_exp, qr_session_duration, and an internal flag that marks this as a QR-origin session and prevents it from being used to approve further QR logins (chain-session prevention). These are never written to your browser's local storage or as separate cookies. When the QR session expires the server destroys it automatically and the client is redirected to the login page.

QR Login Manager: the Active Devices and Past Sessions tabs in the QR Login Manager fetch live session and audit data from the server on request. No session or audit data is stored in browser cookies, local storage, or session storage — it exists only on the server and is transmitted securely over HTTPS when you view these tabs.
Section 05

Third-Party Cookies

M-Board sets no third-party cookies of any kind. There are no analytics platforms, advertising networks, social media integrations, or external tracking services embedded in this platform.

No third-party cookies are set by M-Board. Your browsing behaviour within this platform is not tracked, profiled, or shared with any external service.

M-Board loads Google Fonts and Font Awesome icon libraries from CDN servers for display purposes. Your browser makes direct HTTP requests to these servers to download the font and icon files. These providers receive your IP address as a normal consequence of the HTTP request — this is standard web behaviour that we cannot control. However, these providers do not set persistent tracking cookies in the context of M-Board, and no account or identity data is transmitted to them.

Section 06

Cookie & Storage Duration Reference

Item Lifetime Cleared by
PHPSESSID Until browser is closed or sign-out Browser close, signing out, session timeout
remember_token 30 days (issued only after device trust is confirmed) Signing out, skipping device trust, admin revocation, expiry, browser cookie clear
dv_token_<uid> 90 days from device registration 90-day server-side expiry, sign-out (explicit), admin device revocation, browser storage clear
mboard_pwa_authed Permanent Browser storage clear only
pwa_install_dismissed Persistent Browser storage clear only
mboard_camera_nudge_shown Persistent Browser storage clear only
mboard_draft_<formType>_<uid> Up to 2 days (or until form is submitted) Form submission (immediate), 2-day expiry, or browser storage clear
dv_chk_<uid> Session Tab or browser close (sessionStorage)
Section 07

Your Control Over Cookies

You have full control over cookies and browser storage through your browser settings. Below is a guide to what happens if you clear or block specific items.

  • Clearing all cookies — you will be signed out immediately. Your account data (profile, votes, messages) is stored on our servers and is unaffected. You will need to sign in again.
  • Clearing local storage — your device token is removed. On your next visit, the device-guard will not find a token and will skip the security check for that session. Your account is unaffected. You may be asked to re-enrol your device depending on your organisation's security settings.
  • Blocking all cookies — M-Board will not function. The PHP session cookie (PHPSESSID) is required to maintain login state. Without it, you cannot stay signed in between page loads.
  • Revoking remember-me — sign in to your account and go to Profile → Device Management. You can revoke individual sessions or all remember-me tokens with one click, without clearing your browser.
  • Deleting saved form drafts — each form that supports draft auto-save has a clear draft button visible while a saved draft is loaded. You can use it to wipe the stored draft for that form without affecting anything else. Alternatively, clearing your browser's local storage removes all drafts at once. Drafts also expire automatically after 2 days if not submitted.
  • PWA local storage — if you uninstall the M-Board PWA, your browser will clear associated local storage automatically on most platforms. You can also clear it manually via your browser's developer tools or storage settings.
Clearing cookies does not delete your account or any data on our servers. All your profile information, participation records, messages, and files remain intact. Cookies and local storage only affect your current device's session state.
Section 08

Policy Changes

This Cookie Policy will be updated whenever new cookies or storage items are added, existing ones are removed, or their purpose changes. The effective date at the top of this page will reflect the most recent update.

Because M-Board is an internal platform used by a known, invited membership, we will notify members of material changes through the platform's notification system rather than relying solely on passive policy publication.

Section 09

Contact & Concerns

If you have a question about this Cookie Policy or want to understand exactly what is stored on your device, please contact the IT department through official association channels.

Cookie & Privacy Enquiries — IT Department

For questions about cookies, local storage, data on our servers, or any privacy concern — please reach out via the official association email. We aim to respond within 7 working days.

admin@madhunandan.org.in
M-Board uses only what it needs — nothing more. This policy is a complete and accurate record of every cookie and storage item placed on your device. If you find something not documented here, please report it to the IT department immediately.