Cookie Use - Documentation topics on: cookies,privacy,.

Cookie Use

Broswer cookies are used in dotCMS in several ways to help you recognize repeat users and provide a personalized browsing experience based on identified user preferences.

dotCMS Cookies

dotCMS uses cookies to identify unique users visiting your site, track the number of site visits, and maintain session information for authenticated users. The following sections describe the cookies created by dotCMS, depending on how users access your site.

Front-End Sessions

The following cookies are created and managed by dotCMS for all sessions (both front-end and back-end):

CookieDescriptionSessionExpiration
dmidIdentifies a unique site visitor over multiple site visits.
Used for both Personalization and Clickstream tracking.
No5 years
opvcOnce-Per-Visit-Cookie. Re-generated each time a user visits your site.YesSingle session
sitevisitscookieTracks the number of times a user has visited your site.
Relies on the dmid to track the unique user.
No5 years

Back-End Sessions

The following additional cookies are created by dotCMS for back-end access:

CookieDescriptionSessionExpiration
SHARED_SESSION_IDCreated when a user accesses the backend login screen (whether or not the user has successfully logged in).No24 Hours
DWRSESSIONIDCreated when a user successfully authenticates on the dotCMS backend.YesSingle session

Custom Cookies

You may create additional cookies of your choice and access the value of any dotCMS or application server cookies using the CookieTool Velocity viewtool. This tool allows you to use Velocity code to create cookies and set and retrieve cookie values, so you can track specific user behavior or modify what content you deliver to your users depending on your specific needs.

Application Server Cookies

In addition to the cookies created by the dotCMS application, your application server itself may generate additional cookies. For example, the Tomcat application server that ships with the default dotCMS distribution creates a JSESSIONID session cookie for all front-end users.

For more information on cookies used by your application server, please see your application server documentation.

Cookie Configuration Properties

Three configuration properties in the dotmarketing-config.properties file control how the settings of flags in dotCMS cookies:

COOKIES_HTTP_ONLY=false
# values: never|always|https
COOKIES_SECURE_FLAG=never
COOKIES_SESSION_COOKIE_FLAGS_MODIFIABLE=true

Note:

  • It is strongly recommended that all changes to the dotmarketing-config.properties file be made through a properties extension file.

Application Server Cookie Configuration

To set the httpOnly flag of the Tomcat JSESSIONID cookie, you must add useHttpOnly="true" to the Context tag of the Tomcat context.xml file (tomcat-8-0-18/conf/context.xml in the dotCMS distribution).

useHttpOnly="true"

Notes:

  • It is strongly recommended that all changes to the Tomcat context.xml file be made through a ROOT folder configuration plugin.
  • To change how cookies are used for application servers other than Tomcat, please see the documentation for your application server.
  • For more information about the HttpOnly cookie flag, please see the OWASP HTTPOnly documentation.