Looking through all the documentation I've found (including that provided by the UK's ICO) I cannot find anywhere that states that session cookies are exempt.  To quote the ICO document (which, I believe, is quoting the EU directive):-

"6 (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment--
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
“(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user"

a session cookie is still stored on and accessed from the computer, even if only on a temporary basis so I can see no reason why it should be exempt - indeed, if session cookies were exempt I could see someone getting clever and bypassing the law, somehow, with session cookies.  However there may be some sort of exemption under 4b if they are purely used to log a user into a site.  The real killer is if you use the google analytics module in conjuction with these as this is now tracking activity rather than just enabling a logged in session.

Looking on the ICO website there is an e-mail address where you can query legislation so I have sent a query regarding the status of session cookies and also, if they are exempt, whether they remain exempt if you then use them for more than just "user is logged in" purposes - e.g. for storing preferences on the server side session object, etc.  I will report back when/if I hear more.

Looking at my cookies from this site there do seem to be persistent (albeit with expiry dates) cookies set, such as "portalroles" and "portalaliasid" and these would be covered, even if they were already set before the law came in (obviously, unless otherwise exempt, but I can't see why these would be exempt) so it looks like DNN needs to comply if it is to be usable in the EU, unless there is this unlikely exemption of session cookies and you can configure DNN to only use session cookies (can you do this?).  From the compliance side, the ICO site does say that it will (I'm guessing, unless people are being really abusing cookie usage) give companies a year to comply, so there should be sufficient time to add this facility.