1. Extending Oracle Commerce
  2. Manage the Use of Personal Data
  3. Cookies used in Oracle Commerce

Cookies used in Oracle Commerce

Oracle Commerce uses a number of cookies for managing the behavior of sites.

This section applies to both OSF and Storefront Classic. This section applies to Open Storefront Framework (OSF) and Storefront Classic.

This section provides information that may assist you when you are configuring your cookie control for shopper consent. It also indicates cookies that should be protected from deletion by adding them to the necessaryCookies list, as described in Configure consent requests.

FILE_OAUTH_TOKEN

The FILE_OAUTH_TOKEN cookie, which has a life of 24 hours, stores a token that is needed to access files using the /files servlet on the administration server. Note that this cookie is for the administration interface only and does not contain any personal data. This cookie can be deleted on the client-side, if necessary. It does not need to be included in the necessaryCookies list.

JSESSIONID

The JSESSIONID cookie, which expires when the user’s browsing session ends, helps the server to manage user sessions. It is a standard Java servlet container cookie. While not accessible to scripts, this cookie can be deleted from the client-side. However, the cookie will be re-sent during the next request from the user.

This cookie tracks each request from the same browser, ensuring that the same session data is available on the server side. It does not contain any personal data. You should include this cookie in the necessaryCookies list to avoid creating a new session for every request that comes in.

EETrViID

The EETrViID cookie is sent by the server and stores the Visitor ID. It does not contain any personal data. This cookie cannot be deleted, and therefore cannot be modified by JavaScript in the browser. This cookie does not need to be added to the necessaryCookies list. This cookie expires at the end of the session.

oauth_token_secret-storefrontUI

The oauth_token_secret-storefrontUI cookie is necessary for storefront user interface operations, as it is used to store the OAuth token of the user that is logged in and keeps the shopper’s login token active during page reloads and multiple tab access. This cookie does collect personal data in the form of the profileId. While the cookie is accessible from scripts, it cannot be deleted from the client-side. If you delete this cookie, shoppers may have to log in again after opening new tabs or refreshing pages. Deleting this cookie would also cause some checkout payment flows to fail when a shopper gets redirected to an external payment site like PayPal. When the browser gets returned to the storefront, the shopper’s authentication state is lost and the checkout process cannot proceed. You should add this cookie to the necessaryCookies list. This cookie expires at the end of the session.

oauth_token_secret-adminUI

Contains the OAuth token for a logged-in administration interface user. Expires after 15 minutes.

OAUTH_TOKEN_STORE

Contains the OAuth token for a logged-in shopper. Expires after 15 minutes.

OAUTH_TOKEN_PREVIEW

Contains the OAuth token for a logged-in preview user. Expires after 15 minutes.

OAUTH_TOKEN_AGENT

Contains the OAuth token for a logged-in user of the Agent Console. Expires after 15 minutes.

OAUTH_TOKEN_REFRESH_ADMIN

Contains the OpenId Connect refresh token for a logged-in administration interface user. Expires after 15 minutes.

OAUTH_TOKEN_REFRESH_AGENT

Contains the OpenId Connect refresh token for a logged-in Agent Console user. Expires after 15 minutes.

route cookies for Commerce services

The following table lists the cookies created for various Commerce services. Each cookie contains a randomly generated key corresponding to the server used for the request.

Cookie name Service Lifespan
sseroute Server-Side Extensions (SSEs) Expires end of session
visitroute Visitor Service Expires end of session
ccadminroute Commerce Administration Expires end of session
ccstoreroute Commerce Storefront Expires end of session
socialprovroute Social Provisioning Service Expires end of session
experimentsroute Experiments Expires end of session
osfliveuiroute OSF Live Expires end of session
osfpreviewuiroute OSF Preview Expires end of session
prerenderroute Prerender Expires end of session

xd[tenantID]_[siteID]

These cookies are generated by Visitor ID services and track visitor IDs. These cookies expire on 01/01/2038. They should be added to the necessaryCookies list as they do not collect personal data. Note that the _[siteID] is only added to the cookie name if your environment supports multiple sites. You should know your own tenant ID and site ID.

For example: xdtp6a0c0_siteUS, where xdtp6a0c0 is the tenant ID and _siteUS is the site ID.

xv[tenantID]_[siteID]

These cookies are generated by Visitor ID services and track visit IDs. These cookies expire at the end of the session. Note that the _[siteID] is only added to the cookie name if your environment supports multiple sites.

xs[tenantID]_[cartSharingGroupId]

These cookies are used to find the current incomplete order for an anonymous shopper when the current site is in a cart sharing group. They do not collect personal data. These cookies expire on 01/01/2038.

xm[tenantID]_[siteID]

These cookies are sent only if the Maxymiser integration is enabled. They are generated by Commerce server-side code and used to store the latest visitor state received as part of the response from Maxymiser. They expire after 13 months. They should be added to the necessaryCookies list as they do not collect personal data. Note that the _[siteID] is only added to the cookie name if your environment supports multiple sites. For example: xmpz61a0c0_siteUS.

SOFT_LOGIN

The SOFT_LOGIN cookie, which has a life of 13 months, contains a cryptographically secure version of the expiration timestamp and the user’s profile ID. If the shopper does not provide consent, the soft login cookie is not added to their browser, and soft login will not occur. This cookie does collect personal data, and therefore should not be included in the necessaryCookies list. If you delete this cookie, the soft login capability will not function. For information on soft login, refer to Configure the logged-in shopper session. For information on disabling the soft login feature, see Disable soft login.

storePriceListGroupId

The storePriceListGroupId cookie contains the ID of the price list group for the shopper. It’s set to Secure and HttpOnly, so it is not visible to JavaScript code. It expires at the end of the session.

occsRecSessionId and occsRecVisitorId

The occsRecVisitorId cookie contains the visitor ID used by the Recommendations service. (This ID may differ from other visitor IDs associated with the shopper.) The occsRecSessionId cookie contains a routing token used to direct requests to the correct back-end servers. These cookies do not collect personal data. You must add these cookies to the necessaryCookies list.

In Storefront Classic, if GDPR cookie consent has been granted, the values are stored as follows:
  • If local storage is supported, the values are stored there.
  • If local storage is not supported, but cookies are, the values are stored as cookies with a life of 1 year.
  • If local storage and cookies are not supported, the values are saved in memory as JavaScript variables.

If cookie consent has not been granted, the values are stored in non-persistent session storage.

In Open Storefront Framework (OSF), the tracking state is not persisted on the browser. If a user logs in, the values are retrieved from the server.

ak_bmsc and bm_sv

These cookies are used for caching and are required for sites to function properly. They should be added to the necessaryCookies list.