Home
Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
Securing
These topics describe the security features of HCL Commerce and how to configure these features.
Session management
Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, sessions must be managed between the browser side and the server side.
Cookie-based session management
With cookie-based session management, a message (cookie) containing user information is sent to the browser by the web server. This cookie is sent back to the server when the user tries to access certain pages. The cookie allows the server to identify the user and retrieve the user session from the session database, so that the user session is maintained. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits over alternatives. For this reason, cookie-based session management is recommended for customer sessions.
Enabling cookies for session management
Enable cookies for session management.
Persistent sessions (Remember Me)
HCL Commerce is configured for persistent sessions, meaning that some session-related information of the registered or guest user is stored as permanent cookies. If persistent sessions are enabled, a customer at an HCL Commerce store will be recognized on subsequent visits to the store, even after the customer closes the browser. Sessions can be persisted for both guest and registered users. Persistent sessions are enabled by default, and by default, sessions are persisted for 30 days.
Personalization ID
The Personalization ID identifies a user and allows HCL Commerce to present them with personalized content when the user interacts with the business, throughout the business lifecycle.
Disabling personalization ID
You can disable personalization ID.

Documentation
HCL Commerce is a high-availability, highly scalable and customizable e-commerce platform. Able to support hundreds of thousands of transactions per day, HCL Commerce allows you to do business with consumers (B2C) or directly with businesses (B2B). HCL Commerce uses cloud friendly technology to make deployment and operation both easy and efficient. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels. Business users can also use AI enabled content management capabilities.
- Getting started
  HCL Commerce has different advantages for business users, administrators and developers. HCL Commerce targets each of these roles with a tailored set of offerings so that each of your users can get maximum benefit.
- Installing and deploying
  Learn how to install and deploy HCL Commerce development environments and HCL Commerce production environments.
- Migrating
  Before you migrate to HCL Commerce Version 9.1, review this information to help plan and execute your migration.
- Operating
  Topics in the Operating category highlight tasks that are typically performed by business users, customer support representatives, to complete their day-to-day tasks in the operation of the HCL Commerce site.
- Integrating
  Topics in the Integrating category highlight the tasks that are commonly performed for using HCL Commerce in combination with other products.
- Administering
  Topics in the Administering category highlight tasks that are typically performed by the Site Administrator, to support daily operations of the HCL Commerce site.
- Customizing
  The topics in the Customizing section describe tasks performed by an application developer to customize HCL Commerce.
- Tutorials
  HCL Commerce provides many tutorials to help you customize and understand your HCL Commerce instance and stores.
- Samples
  Topics in the Samples category highlight the various samples that are provided with HCL Commerce.
- Compliance
  The following section describes how you can leverage HCL Commerce features and functionality to help your site be compliant with different privacy and security standards.
- Securing
  These topics describe the security features of HCL Commerce and how to configure these features.
  - HCL Commerce security model
    Authentication is the process of verifying that users or applications are who they claim to be. In an HCL Commerce system, authentication is required for all users and applications that access the system, except for guest customers.
  - HCL Commerce authentication model
    The HCL Commerce authentication model is based on the following concepts: challenge mechanisms, authentication mechanisms and user registries.
  - Authorization
    HCL Commerce views access control or authorization as the process of verifying that users or applications have sufficient authority to access a resource. This section describes the details of several aspects of HCL Commerce access control.
  - Hardening site security checklist
    To harden the security of your HCL Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.
  - Site security considerations
    To enhance the security of your HCL Commerce site, you can enable various features in Administration Console or in the HCL Commerce configuration file.
  - Session management
    Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, sessions must be managed between the browser side and the server side.
    - Store-level session management
      Store level user session management enables access control for a user and their roles across multiple stores.
    - Cookie-based session management
      With cookie-based session management, a message (cookie) containing user information is sent to the browser by the web server. This cookie is sent back to the server when the user tries to access certain pages. The cookie allows the server to identify the user and retrieve the user session from the session database, so that the user session is maintained. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits over alternatives. For this reason, cookie-based session management is recommended for customer sessions.
      - European Union Data Protection Directive and HCL Commerce cookies
        The European Union Data Protection Directive specifies that cookies that are strictly necessary for the delivery of a service requested by the user the consent of the user is not needed. For cookies that are not necessary for the deliver of a service requested by the user, the user must give consent before the cookies or any other form of data is stored in their browser. In HCL Commerce, session management cookies are necessary to deliver services requested by the user.
      - Enabling cookies for session management
        Enable cookies for session management.
        Persistent sessions (Remember Me)
        HCL Commerce is configured for persistent sessions, meaning that some session-related information of the registered or guest user is stored as permanent cookies. If persistent sessions are enabled, a customer at an HCL Commerce store will be recognized on subsequent visits to the store, even after the customer closes the browser. Sessions can be persisted for both guest and registered users. Persistent sessions are enabled by default, and by default, sessions are persisted for 30 days.
        Enabling global persistent sessions
        HCL Commerce can be configured to enable persistent sessions for both registered and guest users. Enabling persistent sessions allows for some session-related information of the user to be stored as permanent cookies. If persistent sessions are enabled, a customer at a HCL Commerce store will be recognized on subsequent visits to the store, even after the customer closes the browser.
        Enabling persistent sessions in JSP based store
        Persistent sessions are useful in B2C stores, although it is possible to enable B2B direct stores with persistent sessions as well. The steps to enable persistent sessions in the stores differ only in the locations and names of the files that need to be altered. In both cases, the store's Logon and UserRegistrationAdd forms require changes. The steps must be completed for all the stores in the site that need persistent sessions.
        Enabling persistent session for React based store
        Enable persistent session and remember me features in the React-based store for a faster login to your store. This feature is available on HCL Commerce version 9.1.10.0 and greater.
        Enabling and disabling persistent session for Next.js store
        Enable persistent session and Remember Me features in the Next.js store for a faster login to your store. These features are available on HCL Commerce version 9.1.16.0 and greater.
        Personalization ID
        The Personalization ID identifies a user and allows HCL Commerce to present them with personalized content when the user interacts with the business, throughout the business lifecycle.
        Enabling personalization ID
        You can enable personalization ID for your HCL Commerce site by editing the HCL Commerce configuration file.
        Disabling personalization ID
        You can disable personalization ID.
    - Using URL rewriting for session management
      With URL rewriting, all links that are returned to the browser or that get redirected have the session ID appended to them. When the user clicks these links, the rewritten form of the URL is sent to the server as part of the client request. The servlet engine recognizes the session ID in the URL and saves it for obtaining the proper object for this user.
    - Changing session management settings in the HCL Commerce configuration file (wc-server.xml)
      You can change various session management settings in the HCL Commerce configuration file. For example, if you set the expiration time you can change the tracking behavior of the referral cookie. The referral cookie is used for marketing activities, to track the URL that referred the customer to the HCL Commerce site. That is, it tracks the URL that was displayed in the customer's browser immediately before navigating to the HCL Commerce site.
    - Enabling multiple logon support for the same user
      Enable multiple logon support to allow for the same authenticated user to use the site from multiple browsers or locations. This feature eliminates the termination of the session and the request to reauthenticate a user, if that same user logs in from a different browser or location.
    - Session timeout
      After a set period of inactivity, user sessions are automatically logged off when session timeout is enabled. This applies to users that have logged into HCL Commerce; not guest sessions. Session timeout settings can be changed based on the security requirements of your site. Session timeout does not apply to requests that are cached and bypass the HCL Commerce session management code.
    - Session invalidation
      Session invalidation ensures that site user sessions are terminated by HCL Commerce when specific security-related events or actions take place. Invalidation of stale or maliciously controlled sessions in the context of these events ensures that they cannot be used to interact with the site in the context of the previously verified and active site user.
  - Quick reference to user IDs, passwords, and Web addresses
    Administration in the HCL Commerce environment requires a variety of user IDs. These user IDs along with their requisite authorities are described in the following list. For the HCL Commerce user IDs, the default passwords are identified.
  - Enabling WebSphere Application Server security
    You can enable WebSphere Application Server security, which includes two orthogonal components: WebSphere global security and Java 2 security.
- Performance
  Topics in the Performance section describe the means by which to plan, implement, test, and re-visit the optimization of HCL Commerce site performance.
- Troubleshooting
  Topics in the Troubleshooting section highlight common issues that are encountered with HCL Commerce, and how they can be addressed or mitigated.
- Reference
  Topics in the Reference section contain all of the HCL Commerce reference documentation.

Disabling personalization ID

You can disable personalization ID.

Procedure

Open the HCL Commerce configuration file.
Search for the PersonalizationId node.
Set the value of the enable attribute to false, as shown in the following sample:
```
<PersonalizationId display="false" enable="false"/>
```

What to do next

Package your changes to the HCL Commerce configuration file for deployment.