European Union Data Protection Directive and HCL Commerce cookies

The European Union Data Protection Directive specifies that cookies that are strictly necessary for the delivery of a service requested by the user the consent of the user is not needed. For cookies that are not necessary for the deliver of a service requested by the user, the user must give consent before the cookies or any other form of data is stored in their browser. In HCL Commerce, session management cookies are necessary to deliver services requested by the user.

Persistent cookies are optional: they are used for marketing (based on personalization ID), and for Remember-Me functionality. To get consent for optional cookies, you might present the shopper with a JavaScript message when they first access the site, similar to the following: By continuing to use this site, you consent to the use of cookies on your device as described by our cookie policy (unless you have disabled cookies). You can change your cookie settings at any time. However, some parts of the site will not function correctly without cookies.

HCL Commerce session cookies

The following table lists HCL Commerce session cookies. All of these cookies are essential for the operation of HCL Commerce. You cannot disable these cookies. Session cookies are not persistent.

HCL Commerce session cookies
Cookie name	Description
_AN_CGID_COOKIE	Stores the categories visited by a user, which is later used by the following Analytics tags: Product tag, Cart tag, and Order tag.
REFERRER	The value of `referer` in the HTTP header.
WC_ACTIVEPOINTER session cookie	This cookie contains the value of the store ID of the session. This value is used to select the store to run the command, if one is not specified on the URL. Value: langId \| storeId Example: `%2d1%2c10601`
SESSION_COOKIEACCEPT	Checks whether the client browser accepts cookies.
WC_AUTHENTICATION_`ID` session cookie	HCL Commerce uses a secure authentication cookie to manage authentication data. An authentication cookie flows only over SSL. For increased security, it has a timestamp with a signature. This cookie is used to authenticate the user over SSL-connections. Value: userId \| hash (sessionKey \| userId \| timestamp) Example: `3002%2cy77JGV%2btHlOwnIITNCn%2f%2fiaH2ns%3d`
WC_GENERIC_ACTIVITYDATA session cookie	This cookie exists only if it is a generic user (`-1002`) session. This cookie stores the session values such as store ID, language ID, and contracts. Value: activityToken \| storeId \| business context values Example: [45123%3atrue%3afalse%3a0%3a4nhN%2fXerGUj5KgGYOnRBVcizyMw%3d][com.ibm.commerce.context.audit.AuditContext\|1328734351734%2d2][com.ibm.commerce.store.facade.server.context.StoreGeoCodeContext\|null%26null%26null%26null%26null%26null][CTXSETNAME\|Store][com.ibm.commerce.context.globalization.GlobalizationContext\|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.catalog.businesscontext.CatalogContext\|null%26null%26false%26false%26false][com.ibm.commerce.context.base.BaseContext\|10601%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.context.experiment.ExperimentContext\|null][com.ibm.commerce.context.entitlement.EntitlementContext\|10503%2610503%26null%26%2d2000%26null%26null%26null][com.ibm.commerce.giftcenter.context.GiftCenterContext\|null%26null%26null]
WC_SESSION_ESTABLISHED session cookie	This cookie is created on the first request that is processed by HCL Commerce run time. For example, a non-cache request. Value: true
WC_USERACTIVITY_`ID` session cookie	This cookie is a user session cookie that flows between the browser and server over both SSL or non-SSL connection. It is used for user identification over non-SSL connections. It contains user session values such as the session login time, and session identifier information such as the user ID and store ID. Value: cookieValue \| encrypt (activityToken \| cookieValue) Where cookie value is: userId \| storeId \| passwordInvalidationFlag \| attemptedPasswordProtectedCommands \| CloneId \| logonTime \| expiryTime \| expiredUserId \| preExpiryURL \| version \| forUserId \| activeOrgId \| Example: `%2d1002%2c10601%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2csExMBJjdNXecuyL5l71eSlqxmVWzSMmWp%2fdGhAV5JRJd5QHFxL%2f9jNLYYeKI1YtswEqhrSwXXhlp%0d%0aLOcvGb1IzzsfEA0y%2bPirawTDQ6rUaXcsnDRnR0GNayuSSrKf4p%2fEdxvj1CkiM8E%3d`
LTPA2 cookie WebSphere Application Server cookie	This cookie is used when HCL Commerce enabled for single sign-on with other WebSphere applications information center.
WC_EdgeCacheComponent_`storeId`	Used for Edge Caching.
WC_identitySignature	Management Center session cookie.
fulfillmentCenterId	Fulfillment center selected in Accelerator.
LtpaToken2	WebSphere Application Server LTPA token used for single sign on.

Note:

All session cookies, except for WC_SESSION_ESTABLISHED, can be used in the Management Center preview environment. In the preview environment, the session cookie name is prefixed with WCP_. The cookies support sessions and users in the preview environment.
The value of session cookies is encrypted by using the session encryption key. For more information, see ../tasks/tsechangesessionkey.html.

HCL Commerce persistent cookie

The only persistent cookie used in HCL Commerce is WC_PERSISTENT. However, WCP_PERSISTENT exists for the Preview environment. This cookie, disabled by default, is used in the Remember me functionality and all marketing functions that rely on the personalization ID. For information, see Personalization ID. You can configure persistent sessions at a site, store, or individual customer level. You can set the time that the cookie persists for, see Changing session management settings in the HCL Commerce configuration file (wc-server.xml).

Aurora starter store cookies

The following table lists Aurora starter store cookies.

Aurora starter store cookies
Cookie name	Description
analyticsFacetAttributes	The list of facets that the customer clicked, making this data available to the analytics tags in those pages. The cookie is continually updated until the customer starts a new search or starts a new session.
analyticsPreCategoryAttributes	Pre-category attributes used for Analytics.
analyticsSearchTerm	Search terms used for Analytics.
CompareItems_storeId	Catalog Entry IDs that are being compared.
priceMode	Display mode for showing prices in the storefront.
searchTermHistory	The history of terms searched.
signon_warning_cookie	Error key that is used to retrieve error messages.
WC_ACTIVITYDATA_`userId`	Session cookie that is created and processed by the Store server.
WC_GENERIC_ACTIVITYDATA	Session cookie that is created and processed by a local (migrated) store.
WC_CartOrderId_`storeId`	Active Order Id for the store.
WC_CartTotal_`orderId`	Subtotal of order items (before tax and shipping), number of items, language, currency.
WC_DeleteCartCookie_`storeId`	Cookie to force refresh of other Mini Shopping Cart cookies.
WC_physicalStores	Physical stores that customer selects.
WC_pickUpStore	Pick-up store ID that customer selects.
WC_recurringOrder_`orderId`	Recurring order ID.
WC_ScheduleOrder_`orderId`_interval	Scheduled orders interval.
WC_shipTypeValue	Shipping type value: single or multiple.
WC_shipTypeValueOrderId	The orderId that corresponds to the Shipping type.
WC_SHOW_USER_ACTIVATION_`storeId`	Flag to show user activation message after user registration.
WC_OnBehalf_Role_`storeId`	Cookie to track the role of the user who started an on behalf session.
WC_Base_Text_Direction	This cookie is created when a shopper sets the Text Direction in the Language and Currency panel. The cookie can be used in HTTP and HTTPS. Value: auto

Ruby (Next.js) starter store cookies

In addition to HCL Commerce session cookies, the Ruby starter store also uses the following cookies for React state management in the browser:

WC_MarketingTrackingConsent_${storeId}: This cookie is used for tracking shoppers consent regarding marketing tracking.
WC_PrivacyNoticeVersion_${storeId}: This cookie is used to track the acceptance of the privacy policy and the version of the privacy policy.

Using HCL Commerce without cookies

If a user chooses not to accept cookies, the site can use URL rewriting for session management. However, URL rewriting does not work with dynamic caching. For more information, see Using URL rewriting for session management.