European Union Data Protection Directive and WebSphere Commerce cookies

The European Union Data Protection Directive specifies that cookies that are strictly necessary for the delivery of a service requested by the user the consent of the user is not needed. For cookies that are not necessary for the deliver of a service requested by the user, the user must give consent before the cookies or any other form of data is stored in their browser. In WebSphere Commerce, session management cookies are necessary to deliver services requested by the user.

Persistent cookies are optional: they are used for marketing (based on personalization ID), and for Remember-Me functionality. To get consent for optional cookies, you might present the shopper with a JavaScript message when they first access the site, similar to the following: By continuing to use this site, you consent to the use of cookies on your device as described by our cookie policy (unless you have disabled cookies). You can change your cookie settings at any time. However, some parts of the site will not function correctly without cookies.

WebSphere Commerce session cookies

The following table lists WebSphere Commerce session cookies. All of these cookies are considered essential for the operation of WebSphere Commerce. You cannot disable these cookies. Session cookies are not persistent.

WebSphere Commerce session cookies
Cookie name	Description
_AN_CGID_COOKIE	Stores the categories visited by a user, which is later used by the following Analytics tags: Product tag, Cart tag, and Order tag.
REFERRER	The value of `referer` in the HTTP header.
WC_ACTIVEPOINTER non-secured session cookie	This cookie contains the value of the store ID of the session. This value is used to select the store to run the command, if one is not specified on the URL. Value: langId \| storeId Example: `%2d1%2c10601`
SESSION_COOKIEACCEPT	Checks whether the client browser accepts cookies.
WC_AUTHENTICATION_`ID` secured session cookie	WebSphere Commerce uses a secure authentication cookie to manage authentication data. An authentication cookie flows only over SSL. For increased security, it has a timestamp with a signature. This cookie is used to authenticate the user over SSL-connections. Value: userId \| hashed by using SHA-1(sessionKey\| userId \| timestamp) sessionKey is the key that is used to encrypt session-related data Example: `3002%2cy77JGV%2btHlOwnIITNCn%2f%2fiaH2ns%3d`
WC_GENERIC_ACTIVITYDATA non-secured session cookie	This cookie exists only if it is a generic user (`-1002`) session. This cookie stores the session values such as store ID, language ID, and contracts. Value: activityToken \| storeId \| business context values Example: [45123%3atrue%3afalse%3a0%3a4nhN%2fXerGUj5KgGYOnRBVcizyMw%3d][com.ibm.commerce.context.audit.AuditContext\|1328734351734%2d2][com.ibm.commerce.store.facade.server.context.StoreGeoCodeContext\|null%26null%26null%26null%26null%26null][CTXSETNAME\|Store][com.ibm.commerce.context.globalization.GlobalizationContext\|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.catalog.businesscontext.CatalogContext\|null%26null%26false%26false%26false][com.ibm.commerce.context.base.BaseContext\|10601%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.context.experiment.ExperimentContext\|null][com.ibm.commerce.context.entitlement.EntitlementContext\|10503%2610503%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.giftcenter.context.GiftCenterContext\|null%26null%26null]
WC_SESSION_ESTABLISHED non-secured session cookie	This cookie is created on the first request that is processed by WebSphere Commerce run time. For example, a non-cache request. For more information, see Dynamic caching considerations for persistent session. Value: true
WC_USERACTIVITY_`ID` non-secured session cookie	This cookie is a user session cookie that flows between the browser and server over both SSL or non-SSL connection. It is used for user identification over non-SSL connections. It contains user session values such as the session login time, and session identifier information such as the user ID and store ID. Value: cookieValue \| encrypted using 3DES (activityToken \| cookieValue) Where cookie value is: userId \| storeId \| passwordInvalidationFlag \| attemptedPasswordProtectedCommands \| logonTime \| expiryTime \| expiredUserId \| preExpiryURL \| forUserId \| activeOrgId \| Example: `%2d1002%2c10601%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2csExMBJjdNXecuyL5l71eSlqxmVWzSMmWp%2fdGhAV5JRJd5QHFxL%2f9jNLYYeKI1YtswEqhrSwXXhlp%0d%0aLOcvGb1IzzsfEA0y%2bPirawTDQ6rUaXcsnDRnR0GNayuSSrKf4p%2fEdxvj1CkiM8E%3d`
LTPA2 cookie WebSphere Application Server cookie	This cookie is used when WebSphere Commerce enabled for single sign-on with other WebSphere applications information center.
WC_EdgeCacheComponent_`storeId`	Used for Edge Caching.
WC_identitySignature	Management Center session cookie.
fulfillmentCenterId	Fulfillment center selected in Accelerator.
LtpaToken2	WebSphere Application Server LTPA token used for single sign on.

Note:

All session cookies, except for WC_SESSION_ESTABLISHED, can be used in the Management Center preview environment. In the preview environment, the session cookie name is prefixed with WCP_. The cookies support sessions and users in the preview environment.
The value of session cookies is encrypted by using the session encryption key. For more information, see Changing the session encryption key.

WebSphere Commerce persistent cookie

The only persistent cookie used in WebSphere Commerce is WC_PERSISTENT. However, WCP_PERSISTENT exists for the Preview environment. This cookie, disabled by default, is used in the Remember me functionality and all marketing functions that rely on the personalization ID. For information, see Personalization ID. You can configure persistent sessions at a site, store, or individual customer level. You can set the time that the cookie persists for, see Changing session management settings in the WebSphere Commerce configuration file (wc-server.xml).

Aurora starter store cookies

The following table lists Aurora starter store cookies.

Aurora starter store cookies
Cookie name	Description
analyticsFacetAttributes	The list of facets that the customer clicked, making this data available to the analytics tags in those pages. The cookie is continually updated until the customer starts a new search or starts a new session.
analyticsPreCategoryAttributes	Pre-category attributes used for Analytics.
analyticsSearchTerm	Search terms used for Analytics.
CompareItems_storeId	Catalog Entry IDs that are being compared.
priceMode	Display mode for showing prices in the storefront.
searchTermHistory	The history of terms searched.
`signon_warning_cookie`	Error key that is used to retrieve error messages.
WC_CartOrderId_`storeId`	Active Order Id for the store.
WC_CartTotal_`orderId`	Subtotal of order items (before tax and shipping), number of items, language, currency.
WC_DeleteCartCookie_`storeId`	Cookie to force refresh of other Mini Shopping Cart cookies.
WC_physicalStores	Physical stores that customer selects.
WC_pickUpStore	Pick-up store ID that customer selects.
WC_recurringOrder_`orderId`	Recurring order ID.
WC_ScheduleOrder_`orderId`_interval	Scheduled orders interval.
WC_shipTypeValue	Shipping type value: single or multiple.
WC_shipTypeValueOrderId	The orderId that corresponds to the Shipping type.
WC_SHOW_USER_ACTIVATION_`storeId`	Flag to show user activation message after user registration.
WC_OnBehalf_Role_`storeId`	Cookie to track the role of the user who started an on behalf session.
WC_Base_Text_Direction	This cookie is created when a shopper sets the Text Direction in the Language and Currency panel. The cookie can be used in HTTP and HTTPS. Value: auto

Using WebSphere Commerce without cookies

If a user chooses not to accept cookies, the site can use URL rewriting; however, URL rewriting does not interoperate with dynamic caching. For more information, see the topic Session management.