Cookies used in Oracle Commerce
Oracle Commerce uses a number of cookies for managing the behavior of sites.
This section applies to Open Storefront Framework (OSF) and Storefront Classic.
This section provides information that may assist you when you are
configuring your cookie control for shopper consent. It also indicates cookies that
should be protected from deletion by adding them to the
necessaryCookies
list, as described in Configure consent requests.
FILE_OAUTH_TOKEN
The FILE_OAUTH_TOKEN
cookie, which has a life of 24 hours,
stores a token that is needed to access files using the /files
servlet
on the administration server. Note that this cookie is for the administration interface
only and does not contain any personal data. This cookie can be deleted on the
client-side, if necessary. It does not need to be included in the
necessaryCookies
list.
JSESSIONID
The JSESSIONID
cookie, which expires when the user’s
browsing session ends, helps the server to manage user sessions. It is a standard Java
servlet container cookie. While not accessible to scripts, this cookie can be deleted
from the client-side. However, the cookie will be re-sent during the next request from
the user.
This cookie tracks each request from the same browser, ensuring that the same
session data is available on the server side. It does not contain any personal data. You
should include this cookie in the necessaryCookies
list to avoid
creating a new session for every request that comes in.
EETrViID
The EETrViID
cookie is sent by the server and stores the
Visitor ID. It does not contain any personal data. This cookie cannot be deleted, and
therefore cannot be modified by JavaScript in the browser. This cookie does not need to
be added to the necessaryCookies
list. This cookie expires at the end
of the session.
oauth_token_secret-storefrontUI
The oauth_token_secret-storefrontUI
cookie is necessary for
storefront user interface operations, as it is used to store the OAuth token of the user
that is logged in and keeps the shopper’s login token active during page reloads and
multiple tab access. This cookie does collect personal data in the form of the
profileId
. While the cookie is accessible from scripts, it cannot
be deleted from the client-side. If you delete this cookie, shoppers may have to log in
again after opening new tabs or refreshing pages. Deleting this cookie would also cause
some checkout payment flows to fail when a shopper gets redirected to an external
payment site like PayPal. When the browser gets returned to the storefront, the
shopper’s authentication state is lost and the checkout process cannot proceed. You
should add this cookie to the necessaryCookies
list. This cookie
expires at the end of the session.
oauth_token_secret-adminUI
Contains the OAuth token for a logged-in administration interface user. Expires after 15 minutes.
OAUTH_TOKEN_STORE
Contains the OAuth token for a logged-in shopper. Expires after 15 minutes.
OAUTH_TOKEN_PREVIEW
Contains the OAuth token for a logged-in preview user. Expires after 15 minutes.
OAUTH_TOKEN_AGENT
Contains the OAuth token for a logged-in user of the Agent Console. Expires after 15 minutes.
OAUTH_TOKEN_REFRESH_ADMIN
Contains the OpenId Connect refresh token for a logged-in administration interface user. Expires after 15 minutes.
OAUTH_TOKEN_REFRESH_AGENT
Contains the OpenId Connect refresh token for a logged-in Agent Console user. Expires after 15 minutes.
route
cookies for Commerce services
The following table lists the cookies created for various Commerce services. Each cookie contains a randomly generated key corresponding to the server used for the request.
Cookie name | Service | Lifespan |
---|---|---|
sseroute |
Server-Side Extensions (SSEs) | Expires end of session |
visitroute |
Visitor Service | Expires end of session |
ccadminroute |
Commerce Administration | Expires end of session |
ccstoreroute |
Commerce Storefront | Expires end of session |
socialprovroute |
Social Provisioning Service | Expires end of session |
experimentsroute |
Experiments | Expires end of session |
osfliveuiroute |
OSF Live | Expires end of session |
osfpreviewuiroute |
OSF Preview | Expires end of session |
prerenderroute |
Prerender | Expires end of session |
xd[tenantID]_[siteID]
These cookies are generated by Visitor ID services and track visitor IDs.
These cookies expire on 01/01/2038. They should be added to the
necessaryCookies
list as they do not collect personal data. Note
that the _[siteID]
is only added to the cookie name if your environment
supports multiple sites. You should know your own tenant ID and site ID.
For example: xdtp6a0c0_siteUS
, where
xdtp6a0c0
is the tenant ID and _siteUS
is the site
ID.
xv[tenantID]_[siteID]
These cookies are generated by Visitor ID services and track visit IDs.
These cookies expire at the end of the session. Note that the _[siteID]
is only added to the cookie name if your environment supports multiple sites.
xs[tenantID]_[cartSharingGroupId]
These cookies are used to find the current incomplete order for an anonymous shopper when the current site is in a cart sharing group. They do not collect personal data. These cookies expire on 01/01/2038.
xm[tenantID]_[siteID]
These cookies are sent only if the Maxymiser integration is enabled. They
are generated by Commerce server-side code and used to store the latest visitor state
received as part of the response from Maxymiser. They expire after 13 months. They
should be added to the necessaryCookies
list as they do not collect
personal data. Note that the _[siteID]
is only added to the cookie name
if your environment supports multiple sites. For example:
xmpz61a0c0_siteUS
.
SOFT_LOGIN
The SOFT_LOGIN
cookie, which has a life of 13 months,
contains a cryptographically secure version of the expiration timestamp
and the user’s profile ID. If the shopper does not provide consent, the soft login
cookie is not added to their browser, and soft login will not occur. This cookie does
collect personal data, and therefore should not be included in the
necessaryCookies
list. If you delete this cookie, the soft login
capability will not function. For information on soft login, refer to Configure the logged-in shopper session. For
information on disabling the soft login feature, see Disable soft login.
storePriceListGroupId
The storePriceListGroupId
cookie contains the ID of the
price list group for the shopper. It’s set to Secure
and
HttpOnly
, so it is not visible to JavaScript code. It expires at
the end of the session.
occsRecSessionId
and
occsRecVisitorId
The occsRecVisitorId
cookie contains the visitor ID used by
the Recommendations service. (This ID may differ from other visitor IDs associated with
the shopper.) The occsRecSessionId
cookie contains a routing token used
to direct requests to the correct back-end servers. These cookies do not collect
personal data. You must add these cookies to the necessaryCookies
list.
- If local storage is supported, the values are stored there.
- If local storage is not supported, but cookies are, the values are stored as cookies with a life of 1 year.
- If local storage and cookies are not supported, the values are saved in memory as JavaScript variables.
If cookie consent has not been granted, the values are stored in non-persistent session storage.
In Open Storefront Framework (OSF), the tracking state is not persisted on the browser. If a user logs in, the values are retrieved from the server.
ak_bmsc
and bm_sv
These cookies are used for caching and are required for sites to function
properly. They should be added to the necessaryCookies
list.