European Union Data Protection Directive and WebSphere Commerce cookies

The European Union Data Protection Directive specifies that cookies that are strictly necessary for the delivery of a service requested by the user the consent of the user is not needed. For cookies that are not necessary for the deliver of a service requested by the user, the user must give consent before the cookies or any other form of data is stored in their browser. In WebSphere Commerce, session management cookies are necessary to deliver services requested by the user.

Persistent cookies are optional: they are used for marketing (based on personalization ID), and for Remember-Me functionality. To get consent for optional cookies, you might present the shopper with a JavaScript message when they first access the site, similar to the following: By continuing to use this site, you consent to the use of cookies on your device as described by our cookie policy (unless you have disabled cookies). You can change your cookie settings at any time. However, some parts of the site will not function correctly without cookies.

WebSphere Commerce session cookies

The following table lists WebSphere Commerce session cookies. All of these cookies are considered essential for the operation of WebSphere Commerce. You cannot disable these cookies. Session cookies are not persistent.
WebSphere Commerce session cookies
Cookie name Description
_AN_CGID_COOKIE Stores the categories visited by a user, which is later used by the following Analytics tags: Product tag, Cart tag and Order tag.
REFERRER The value of referer in the HTTP header.
WC_ACTIVEPOINTER non-secured session cookie This cookie contains the value of the store ID of the session. This value is used to select the store to run the command, if one is not specified on the URL.
  • value: langId | storeId
  • example: %2d1%2c10601
SESSION_COOKIEACCEPT Checks whether the client browser accepts cookies.
WC_AUTHENTICATION_ID secured session cookie WebSphere Commerce uses a secure authentication cookie to manage authentication data. An authentication cookie flows only over SSL. For increased security, it has a timestamp with a signature. This cookie is used to authenticate the user over SSL-connections.
  • value: userId | hashed by using SHA-1(sessionKey| userId | timestamp) sessionKey is the key that is used to encrypt session-related data
  • example: 3002%2cy77JGV%2btHlOwnIITNCn%2f%2fiaH2ns%3d
WC_GENERIC_ACTIVITYDATA non-secured session cookie This cookie exists only if it is a generic user (-1002) session. This cookie stores the session values such as store ID, language ID, and contracts.
  • value: activityToken | storeId | business context values
  • example: [45123%3atrue%3afalse%3a0%3a4nhN%2fXerGUj5KgGYOnRBVcizyMw%3d][|1328734351734%2d2][|null%26null%26null%26null%26null%26null][CTXSETNAME|Store][|%2d1%26USD%26%2d1%26USD][|null%26null%26false%26false%26false][|10601%26%2d1002%26%2d1002%26%2d1][|null][|10503%2610503%26null%26%2d2000%26null%26null%26null][|null%26null%26null]
WC_SESSION_ESTABLISHED non-secured session cookie This cookie is created on the first request that is processed by WebSphere Commerce run time. For example, a non-cache request. For more information, see Dynamic caching considerations for persistent session.
  • value: true
WC_USERACTIVITY_ID non-secured session cookie This cookie is a user session cookie that flows between the browser and server over both SSL or non-SSL connection. It is used for user identification over non-SSL connections. It contains user session values such as the session login time, and session identifier information such as the user ID and store ID.
  • value: cookieValue | encrypted using 3DES (activityToken | cookieValue)

    where cookie value is: userId | storeId | passwordInvalidationFlag | attemptedPasswordProtectedCommands | logonTime | expiryTime | expiredUserId | preExpiryURL | forUserId | activeOrgId |

  • example: %2d1002%2c10601%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2csExMBJjdNXecuyL5l71eSlqxmVWzSMmWp%2fdGhAV5JRJd5QHFxL%2f9jNLYYeKI1YtswEqhrSwXXhlp%0d%0aLOcvGb1IzzsfEA0y%2bPirawTDQ6rUaXcsnDRnR0GNayuSSrKf4p%2fEdxvj1CkiM8E%3d
LTPA2 cookie WebSphere Application Server cookie This cookie is used when WebSphere Commerce enabled for single sign-on with other WebSphere applications information center.
WC_EdgeCacheComponent_storeId Used for Edge Caching.
WC_identitySignature Management Center session cookie.
fulfillmentCenterId Fulfillment center selected in Accelerator.
SoccomAuthToken Social bridging session cookie (Deprecated in Feature Pack 5).
SoccomUserInfoToken Social bridging session cookie (Deprecated in Feature Pack 5).
SoccomUserToken Social bridging session cookie (Deprecated in Feature Pack 5).
LtpaToken2  WebSphere Application Server LTPA token used for single sign on.
  • All session cookies, except for WC_SESSION_ESTABLISHED, can be used in the Management Center preview environment. In the preview environment, the session cookie name is prefixed with WCP_. The cookies support sessions and users in the preview environment.
  • The value of session cookies is encrypted by using the session encryption key. For more information, see Changing the session encryption key.

WebSphere Commerce persistent cookie

The only persistent cookie used in WebSphere Commerce is WC_PERSISTENT. However, WCP_PERSISTENT exists for the Preview environment. This cookie, disabled by default, is used in the Remember me functionality and all marketing functions that rely on the personalization ID. For information, see Personalization ID. You can configure persistent sessions at a site, store, or individual customer level. You can set the time that the cookie persists for, see Changing session management settings in the WebSphere Commerce configuration file (wc-server.xml).
Feature Pack 5 or later

Aurora starter store cookies

The following table lists Aurora starter store cookies.
Aurora starter store cookies
Cookie name Description
analyticsFacetAttributes The list of facets that the customer clicked, making this data available to the analytics tags in those pages. The cookie is continually updated until the customer starts a new search or starts a new session.
analyticsPreCategoryAttributes Pre-category attributes used for Analytics.
analyticsSearchTerm Search terms used for Analytics.
CompareItems_storeId Catalog Entry IDs that are being compared.
priceMode Display mode for showing prices in the storefront.
searchTermHistory The history of terms that have been searched.
signon_warning_cookie Error key used to retrieve error messages.
WC_CartOrderId_storeId Active Order Id for the store.
WC_CartTotal_orderId Subtotal of order items (before tax and shipping), number of items, language, currency.
WC_DeleteCartCookie_storeId Cookie to force refresh of other Mini Shopping Cart cookies.
WC_physicalStores Physical stores that customer has selected.
WC_pickUpStore Pick-up store ID that customer has selected.
WC_recurringOrder_orderId Recurring order ID.
WC_ScheduleOrder_orderId_interval Scheduled orders interval.
WC_shipTypeValue Shipping type value: single or multiple.
WC_shipTypeValueOrderId The orderId that corresponds to the Shipping type.
WC_SHOW_USER_ACTIVATION_storeId Flag to show user activation message after user registration.
Feature Pack 7

BloomReach cookies

The following table summarizes the cookies that are stored in WebSphere Commerce to support BloomReach SNAP integration:

BloomReach cookies

Category Cookie name Description
BloomReach Organic Search Analytics cookies _br_uid_2 Created by the BloomReach tracking pixel library (BrTrk). It creates a unique anonymous identifier for every browser or device. This cookie is set to expire after 1 year by default.
SNAP Analytics _br_mzs An analytics cookie that records the start and end of sessions. It is also used to route a specific shopper's traffic to the appropriate BloomReach SNAP web servers. This cookie is set to expire after 30 minutes by default.
_br_mzv An analytics cookie that records visit information such as first visit, last visit, and referrer information. This cookie is set to expire after 2 years by default.
A/B Testing _br_meu To continually improve BloomReach SNAP services, A/B tests are performed to measure and compare the performance of various algorithms and features. This cookie that contains unique identifiers for the shopper's experiment segments. It is created and updated by the REST API service. This cookie is set to expire after 1 year by default.
_br_me Contains per-experiment analytics and performance data. It is created and updated by the REST API service. This cookie is set to expire after 1 year by default.
User Preferences _br_mzp Stores a shopper's implicit and explicit preferences. These preferences are used by the BloomReach SNAP services such as Search, Auto-suggest, and JustForYou for personalization. It is created by the REST API service. This cookie is set to expire after 2 years by default.

Using WebSphere Commerce without cookies

If a user chooses not to accept cookies, the site can use URL rewriting; however, URL rewriting does not interoperate with dynamic caching. For more information, see the topic Session management.