Preventing the JSESSIONID cookie from being set based on another cookie | Community
Skip to main content
B
blaris
Level 2
May 5, 2017
Question

Preventing the JSESSIONID cookie from being set based on another cookie

  • May 5, 2017
  • 3 replies
  • 4850 views

Hello,

My company is preparing to follow EU General Data Protection Regulation, which requires the user to be able to accept/decline cookies on your site and if they select decline, that no other cookies from your domain get written. I've been struggling on preventing the JSESSIONID cookie from the Apache Felix Jetty Based Http Service being written based on another cookie value. We can't turn off this service as it's being used for users that do not decline to accept cookies.  Anyone have thoughts on how to do this?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

3 replies

J
Adobe Employee
JustinEd3Adobe Employee
Adobe Employee
May 5, 2017

Given that nothing in AEM uses JavaEE Sessions, your custom code must be creating those sessions. Just don't do that if this other cookie is set.

MC_Stuff
MC_Stuff
Level 10
May 5, 2017

Hi Weston,

  • Agree with justin AEM does not use JSESSIONID.
  • Validate the default session value is not misconfigured at /system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory
  • Make sure in your component session is not set , especially jsp files because most of online sample have that may be due to popular copy & paste.

  In my opinion for your requirement Opt out the cookie at http://host:port//system/console/configMgr/com.adobe.granite.optout.impl.OptOutServiceImpl should help.

Thanks,

smacdonald2008
smacdonald2008
Level 10
May 5, 2017

More feedback -- 

as I remember from previous other projects in UK, not every cookie is banned;-)

 

Here is the quote from http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm:

 

However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29df include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

 

 

So you might not really need all those effort to disable sessionid;-)

Terms & ConditionsAccessibility statement

Loading footer...