Persistent sessions (Remember Me)

HCL Commerce is configured for persistent sessions, meaning that some session-related information of the registered or guest user is stored as permanent cookies. If persistent sessions are enabled, a customer at an HCL Commerce store will be recognized on subsequent visits to the store, even after the customer closes the browser. Sessions can be persisted for both guest and registered users. Persistent sessions are enabled by default, and by default, sessions are persisted for 30 days.

Persistent sessions increase the ability of the store to monitor customer activities:

  • Analytic tools can correlate shopping activities that span multiple sessions, even if the user does not register.
  • Marketing experimentation can contain data from multiple sessions, which includes the sessions of guest customers.

Persistent sessions enhance the shopping experience:

  • It is easier for a customer to resume their existing shopping experience.
  • It is the only way for a guest customer to retrieve the pending shopping carts from a previous session.

The customer must be accessing the store from the same computer that they used to create the persistent session. Customers can choose not to be remembered by clearing the Remember Me check box when they log in, or during the registration process. In this case, their information will not persist into the next session.

When persistent sessions are enabled and the customer elects to be remembered by clicking the Remember Me check box on the logon or registration page. Then, the returning customer (a partially authenticated user, also known as a remembered user) can view the following information by default, which depends on how the "Credentials Accepted" attribute is configured in the Struts configuration file.

Customer type Can view Cannot view
Guest user
  • Current shopping cart
Guest user (remembered)
  • The pending shopping cart from previous sessions
Registered user (logged out, but remembered)
  • The pending shopping cart from previous sessions
  • Coupons
  • Promotions
  • Eligible contracts
  • Order history
  • Previous shipping and billing addresses
Registered user (logged in)
  • Order history
  • Previous shipping and billing addresses
  • The pending shopping cart from previous sessions
  • Coupons
  • Promotions
  • Eligible contracts
Aurora starter store
The credentials are set in the credentialsAccepted parameter of the struts-wcs-stores-custom.xml configuration file:
<action class="com.ibm.commerce.struts.v2.BaseAction" name="AccessControlErrorView">
<param name="credentialsAccepted">10001:P,715837984:P,715838034:P,10801:P</param>
<param name="https">10001:1,715837984:1,715838034:1,10801:1</param>
</action>
HCL Commerce Version 9.1.16.0 or later
Ruby (Next.js) starter store
The persistent session of the Next.js store is dependent on service responses and is not configured by views.

The configuration file Rest/WebContent/WEB-INF/config/com.ibm.commerce.rest/wc-rest-security.xml in the Rest.war from the Transaction server controls which service calls are allowed for partial authenticated shoppers.

Note: When a remembered guest user returns to the site, a new guest user is created when the session tries to access a protected request (configured through the Struts configuration). The shopping cart of the previous guest user is reset to the new guest user and all sensitive information of the order, such as address and credit card, is removed. This behavior results in providing greater security for guest users who complete an order in the store.

Consider the common scenario where a guest user places an order at a location that provides public Internet access. By creating a new guest user each time, a remembered guest goes through a protected request. The new user prevents another user from viewing any previous information such as their order history, previous shipping and billing addresses, and other information that is provided during the check-out process. Therefore, users that are placing orders through locations that provide public Internet access can do so safely. This eliminates the privacy infringement concern through future sessions.

Persistent cookies

HCL Commerce contains the following persistent cookie:
HCL Commerce persistent cookie
Cookie name Description
WC_PERSISTENT This cookie is used to persist user ID, personalization ID (if enabled), language ID, and currency for each store ID visited in the session. Multiple sets of identifiers can exist if the user visits more than 1 store.

Remembered users

By default, the Logoff command deletes the persistent session. However, if rememberMe=true is passed to the Logoff command then the registered user is logged off but remembered. The session persists, and the registered user is able to view the shopping cart but not other information such as order history or addresses. To view this sensitive information that the customer needs to log on to the store consider the following examples:

Example 1:
The site is enabled the Remember Me feature. A registered user performs the following actions:
  1. Logs on to a store and checks the Remember Me check box.
  2. Adds items to the shopping cart.
  3. Logs off from the store, specifying the optional rememberMe=true parameter to the Logoff command. The user is logged off but the session persists. The user is now remembered when they return to the site.
Example 2:
A site with multiple stores, S1 and S2, is enabled the Remember Me feature. A registered customer performs the following actions:
  1. Logs on to store S1 and checks the Remember Me check box.
  2. Adds items to the shopping cart in the S1 store.
  3. Adds items to the shopping cart in the S2 store.
  4. Closes the browser.

The shopping cart persists for both stores.

If the registered user clears the Remember Me check box on the My Account page of store S1 on a subsequent visit, the shopping cart for store S2 continues to persist, but the shopping cart for store S1 does not.