It seems to be that like (as I understand it) the disability act, nothing will be done unless people make a complaint, but what will happen then......who knows

It seems it's more specific than that - the legislation exemption reads

"where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user."

and it's this definition of an "information society service" that is critical - as I understand it, this doesn't cover stuff like logins, only commercial transactions - from the UK ICO's advice:-

"The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.
This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website."

potentially this could, possibly, cover a login cookie, but only if you do nothing else - don't store profile preferences, etc, which DNN certainly does.  As I understand it this is to allow exemption of cookies solely for shopping backets and the purchasing of services, etc and not much else.

From the Council Of Europe site
http://conventions.coe.int/Treaty/en/Reports/Html/180.htm
an "information society service" seems to be defined thus:-
"1. In accordance with Article 1 the aim of this Convention is to set up a legal information and co-operation system in the area of new communication services following the example of Directive 98/48/EC. These new services, called "Information Society Services" are in fact activities of an interactive nature provided on-line (1) which have an economic value."
so a DNN login really doesn't appear to be covered under this exemption.

Yes, but it's still accessing that data via a cookie (you could say that all the malicious tracking cookies don't directly store the data themselves, merely pointers to that data) so it still applies.  If not then this would be such an easy way around the law.
You could say that argument applies to storing the data in a server side session object - the cookie isn't directly storing the data, it's merely being used as a pointer to a lump of information stored in memory on the server.