You can configure many aspects of whether and how the Personalization module sends profile cookies using the CookieManager component (/atg/userprofiling/CookieManager). The CookieManager has the following properties:
sendProfileCookies
Set totrueto send a profile cookie including the user ID. See Auto-Login with Cookies. (Defaultfalse)
profileCookieDomain
If present, this defines the value of thedomainfield that is sent for profile cookies. (Default null)
profileCookieComment
Comment of the cookie used to carry the user ID, if cookies are in use. (Default null)
profileCookieMaxAge
If present, this defines the value of the maximum age of the cookie, in seconds. A value of -1 indicates that there is no maximum age, making cookies non-persistent. (Default -1)
profileCookiePath
If present, this defines the value of thepathfield that will be sent for profile cookies. (Default/)
profileCookieSecure
Iftrue, cookies will include thesecurefield, which indicates to the browser that cookies should only be sent using a secure protocol, such as HTTPS or SSL. (Defaultfalse.) Note that, depending on the browser, this setting could prevent visitors from using the auto-login feature to access the site.
cookieHashKey
Sets a secret key that the Personalization module uses to hash the user ID cookie. This behavior makes user cookies more secure and prevents users from using another user’s profile by changing their cookie. Invalid profile cookies are ignored. You may want to change this from the default value, so that your site’s cookies will be hashed with a different key from that used by other sites that run ATG products.
Using Persistent Cookies
By default, the cookies that the Personalization module sends are temporary; they expire when the user exits the browser. To enable auto-login or persistent anonymous profiles, you must configure the /atg/userprofiling/CookieManager component to use persistent cookies.
The profileCookieMaxAge property of the CookieManager component controls cookie persistence. This property sets the number of seconds from the time the profile cookie is sent until it expires. If you set the property to -1 (the default), cookies are not persistent.
For example, suppose you enable auto-login, but you want the user to log in manually after a week. You would set profileCookieMaxAge to the number of seconds in a week:
profileCookieMaxAge=604800
Securing Cookies
To make user cookies more secure and prevent site visitors from changing their cookies (which could allow them to use someone else’s profile), the Personalization module includes a feature for checking profile ID cookies that it can use to validate the visitor’s cookie.
If you choose to send profile cookies (by setting sendProfileCookies to true), the Personalization module automatically sends two cookies, DYN_USER_ID and DYN_USER_CONFIRM. The DYN_USER_CONFIRM cookie is a hash of the user ID cookie. If the hashed DYN_USER_CONFIRM cookie does not match the user ID cookie, the Personalization module ignores the cookies and creates a new profile.
To change the secret key that the Personalization module uses to hash the user ID cookie, edit the following property of /atg/userprofiling/CookieManager:
cookieHashKey=

