isNew() only checks if the session is brand new (basically you're still in the same request that creates the session and nothing got tricky and did a $session->close() then $session->start() in the request). It works in that context because it is the first AJAX step in the install chain so by the time you trigger the action you should have a session already going, and if you don't have one that was started before that request then you've probably direct requested that specific task without going through the app properly (if the controllers did proper request method checks, then that controller should be checking it's not a GET request before checking anything about the session, and you could probably avoid the flaky session check altogether without a properly dedicated task).

AFAIK, the only way to actually check if cookies are enabled is to basically try writing one (which creating a session will do by default), do a redirect to something, and check if the cookie you just wrote exists. You can't really pull that off well in the install or admin apps with an overly generic check like the one in the controller you highlighted.

ok - thanks for the detailed explanation why my suggested code was poop.

I dont care how its done but we should do something

I dont care how its done but we should do something

Realistically, you can kind of use that same check in the LanguageController if you pop off AJAX tasks on page load once the admin login screen or the install app is loaded, and maybe the frontend com_users login view (but not the module IMO, that would force an AJAX request on every page the module renders on). Since the only way isNew() should return true in that context is if those AJAX paths are direct accessed, the check would be a step up over what's there now (do nothing), but I don't know if you could rely on that as a 100% foolproof thing.

So you're on the right track, but to me that seems a bit flaky at best.