Adobe Experience Manager Sites & More

westonb9371180 · 9:35:28 AM

Hello,

My company is preparing to follow EU General Data Protection Regulation, which requires the user to be able to accept/decline cookies on your site and if they select decline, that no other cookies from your domain get written. I've been struggling on preventing the JSESSIONID cookie from the Apache Felix Jetty Based Http Service being written based on another cookie value. We can't turn off this service as it's being used for users that do not decline to accept cookies. Anyone have thoughts on how to do this?

justin_at_adobe · 11:11:58 AM

Given that nothing in AEM uses JavaEE Sessions, your custom code must be creating those sessions. Just don't do that if this other cookie is set.

MC_Stuff · 11:30:15 AM

Hi Weston,

Agree with justin AEM does not use JSESSIONID.
Validate the default session value is not misconfigured at /system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory
Make sure in your component session is not set , especially jsp files because most of online sample have that may be due to popular copy & paste.

In my opinion for your requirement Opt out the cookie at http://host:port//system/console/configMgr/com.adobe.granite.optout.impl.OptOutServiceImpl should help.

Thanks,

smacdonald2008 · 1:16:55 PM

More feedback --

as I remember from previous other projects in UK, not every cookie is banned;-)

Here is the quote from http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm:

However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

used for the sole purpose of carrying out the transmission of a communication, and
strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 include:

user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
authentication cookies, to identify the user once he has logged in, for the duration of a session
user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
load‑balancing cookies, for the duration of session
user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

So you might not really need all those effort to disable sessionid;-)