Cookies used in Retail Digital Commerce
Retail Digital Commerce uses a number of cookies for managing the behavior of sites.
This section applies to Open Storefront Framework
(OSF).
This section provides information that may assist you when you
are configuring your cookie control for shopper consent.
It also indicates cookies that should be protected from
deletion by adding them to the necessaryCookies list, as described in Configure consent requests.
FILE_OAUTH_TOKEN
The FILE_OAUTH_TOKEN cookie, which has a life
of 24 hours, stores a token that is needed to access files
using the /files servlet on the administration
server. Note that this cookie is for the administration interface
only and does not contain any personal data. This cookie
can be deleted on the client-side, if necessary. It does
not need to be included in the necessaryCookies list.
JSESSIONID
The JSESSIONID cookie, which expires when the
user’s browsing session ends, helps the server to manage
user sessions. It is a standard Java servlet container
cookie. While not accessible to scripts, this cookie can be deleted
from the client-side. However, the cookie will be re-sent
during the next request from the user.
This cookie tracks each request from the same browser, ensuring
that the same session data is available on the server
side. It does not contain any personal data. You should
include this cookie in the necessaryCookies list
to avoid creating a new session for every request that
comes in.
EETrViID
The EETrViID cookie is sent by the server and
stores the Visitor ID. It does not contain any personal
data. This cookie cannot be deleted, and therefore cannot
be modified by JavaScript in the browser. This cookie does not need
to be added to the necessaryCookies list.
This cookie expires at the end of the session.
oauth_token_secret-storefrontUI
The oauth_token_secret-storefrontUI cookie is
necessary for storefront user interface operations, as
it is used to store the OAuth token of the user that is
logged in and keeps the shopper’s login token active during page reloads
and multiple tab access. This cookie does collect personal
data in the form of the profileId. While the cookie is accessible from scripts, it cannot
be deleted from the client-side. If you delete this cookie, shoppers
may have to log in again after opening new tabs or refreshing
pages. Deleting this cookie would also cause some checkout
payment flows to fail when a shopper gets redirected to an external
payment site like PayPal. When the browser gets returned
to the storefront, the shopper’s authentication state
is lost and the checkout process cannot proceed. You should
add this cookie to the necessaryCookies list. This
cookie expires at the end of the session.
oauth_token_secret-adminUI
Contains the OAuth token for a logged-in administration interface user. Expires after 15 minutes.
OAUTH_TOKEN_STORE
Contains the OAuth token for a logged-in shopper. Expires after 15 minutes.
OAUTH_TOKEN_PREVIEW
Contains the OAuth token for a logged-in preview user. Expires after 15 minutes.
OAUTH_TOKEN_AGENT
Contains the OAuth token for a logged-in user. Expires after 15 minutes.
OAUTH_TOKEN_REFRESH_ADMIN
Contains the OpenId Connect refresh token for a logged-in administration interface user. Expires after 15 minutes.
OAUTH_TOKEN_REFRESH_AGENT
Contains the OpenId Connect refresh token for a logged-in user. Expires after 15 minutes.
route cookies for Retail Digital Commerce services
The following table lists the cookies created for various Retail Digital Commerce services. Each cookie contains a randomly generated key corresponding to the server used for the request.
| Cookie name | Service | Lifespan |
|---|---|---|
sseroute |
Server-Side Extensions (SSEs) | Expires end of session |
visitroute |
Visitor Service | Expires end of session |
ccadminroute |
Commerce Administration | Expires end of session |
ccstoreroute |
Commerce Storefront | Expires end of session |
socialprovroute |
Social Provisioning Service | Expires end of session |
experimentsroute |
Experiments | Expires end of session |
osfliveuiroute |
OSF Live | Expires end of session |
osfpreviewuiroute |
OSF Preview | Expires end of session |
prerenderroute |
Prerender | Expires end of session |
xd[tenantID]_[siteID]
These cookies are generated by Visitor ID services and track visitor
IDs. These cookies expire on 01/01/2038. They should be
added to the necessaryCookies list
as they do not collect personal data. Note that the _[siteID] is only added to the cookie name if your environment
supports multiple sites. You should know your own tenant
ID and site ID.
For example: xdtp6a0c0_siteUS, where
xdtp6a0c0 is the tenant ID and _siteUS is the site ID.
xv[tenantID]_[siteID]
These cookies are generated by Visitor ID services and track visit
IDs. These cookies expire at the end of the session. Note
that the _[siteID] is only added to the
cookie name if your environment supports multiple sites.
xs[tenantID]_[cartSharingGroupId]
These cookies are used to find the current incomplete order for an anonymous shopper when the current site is in a cart sharing group. They do not collect personal data. These cookies expire on 01/01/2038.
xm[tenantID]_[siteID]
These cookies are sent only if the Maxymiser integration is enabled.
They are generated by Retail Digital Commerce server-side
code and used to store the latest visitor state received
as part of the response from Maxymiser. They expire after 13 months.
They should be added to the necessaryCookies list as they do not collect personal data. Note that
the _[siteID] is only added to the cookie name
if your environment supports multiple sites. For example:
xmpz61a0c0_siteUS.
SOFT_LOGIN
The SOFT_LOGIN cookie, which has a life of 13
months, contains a cryptographically secure version of
the expiration timestamp and the user’s
profile ID. If the shopper does not provide consent, the soft login
cookie is not added to their browser, and soft login will
not occur. This cookie does collect personal data, and
therefore should not be included in the necessaryCookies list. If you delete this cookie, the soft login capability
will not function. For information on soft login, refer to Configure the logged-in shopper session. For
information on disabling the soft login feature, see Disable soft login.
storePriceListGroupId
The storePriceListGroupId cookie contains the
ID of the price list group for the shopper. It’s set to Secure and HttpOnly, so
it is not visible to JavaScript code. It expires at the
end of the session.
occsRecSessionId and occsRecVisitorId
The occsRecVisitorId cookie contains the visitor
ID used by the Recommendations service. (This ID may differ
from other visitor IDs associated with the shopper.) The occsRecSessionId cookie contains a routing token used
to direct requests to the correct back-end servers. These
cookies do not collect personal data. You must add these
cookies to the necessaryCookies list.
In Open Storefront Framework (OSF), the tracking state is not persisted on the browser. If a user logs in, the values are retrieved from the server.
ak_bmsc and bm_sv
These cookies are used for caching and are required for sites to
function properly. They should be added to the necessaryCookies list.