Expand my Community achievements bar.

Preventing the JSESSIONID cookie from being set based on another cookie

Avatar

Level 1
Level 1
5/5/17 9:35:28 AM

Hello,

My company is preparing to follow EU General Data Protection Regulation, which requires the user to be able to accept/decline cookies on your site and if they select decline, that no other cookies from your domain get written. I've been struggling on preventing the JSESSIONID cookie from the Apache Felix Jetty Based Http Service being written based on another cookie value. We can't turn off this service as it's being used for users that do not decline to accept cookies.  Anyone have thoughts on how to do this?

Views

4.0K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
3 Replies

Avatar

Employee
Employee
5/5/17 11:11:58 AM

Given that nothing in AEM uses JavaEE Sessions, your custom code must be creating those sessions. Just don't do that if this other cookie is set.

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 9
Level 9
5/5/17 11:30:15 AM

Hi Weston,

  • Agree with justin AEM does not use JSESSIONID.
  • Validate the default session value is not misconfigured at /system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory
  • Make sure in your component session is not set , especially jsp files because most of online sample have that may be due to popular copy & paste.

  In my opinion for your requirement Opt out the cookie at http://host:port//system/console/configMgr/com.adobe.granite.optout.impl.OptOutServiceImpl should help.

Thanks,

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
5/5/17 1:16:55 PM

More feedback -- 

as I remember from previous other projects in UK, not every cookie is banned;-)

 

Here is the quote from http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm:

 

However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29df include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

 

 

So you might not really need all those effort to disable sessionid;-)

Views

2.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Multifield Rollout in AEM 6.5.20.0 on-prem Solved

Views

99

Likes

0

Replies

3
The dynamic table previews correctly in HTML, but when converted to PDF, the page is cut off.

Views

55

Likes

0

Replies

0
How to Render the different version of Header for Specific Pages Using Experience Fragments in AEM?

Views

105

Likes

0

Replies

3
Way to remove the timestamp from the metadata field for expiry date

Views

125

Likes

0

Replies

4
what is the difference between com.day.cq.workflow and com.adobe.granite.workflow?

Views

73

Likes

0

Replies

2