Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Preventing the JSESSIONID cookie from being set based on another cookie

Avatar

Level 1

Hello,

My company is preparing to follow EU General Data Protection Regulation, which requires the user to be able to accept/decline cookies on your site and if they select decline, that no other cookies from your domain get written. I've been struggling on preventing the JSESSIONID cookie from the Apache Felix Jetty Based Http Service being written based on another cookie value. We can't turn off this service as it's being used for users that do not decline to accept cookies.  Anyone have thoughts on how to do this?

3 Replies

Avatar

Employee

Given that nothing in AEM uses JavaEE Sessions, your custom code must be creating those sessions. Just don't do that if this other cookie is set.

Avatar

Level 9

Hi Weston,

  • Agree with justin AEM does not use JSESSIONID.
  • Validate the default session value is not misconfigured at /system/console/configMgr/org.apache.sling.scripting.jsp.JspScriptEngineFactory
  • Make sure in your component session is not set , especially jsp files because most of online sample have that may be due to popular copy & paste.

  In my opinion for your requirement Opt out the cookie at http://host:port//system/console/configMgr/com.adobe.granite.optout.impl.OptOutServiceImpl should help.

Thanks,

Avatar

Level 10

More feedback -- 

as I remember from previous other projects in UK, not every cookie is banned;-)

 

Here is the quote from http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm:

 

However, some cookies are exempt from this requirement. Consent is not required if the cookie is:

  • used for the sole purpose of carrying out the transmission of a communication, and
  • strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service.

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29df include:

  • user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases
  • authentication cookies, to identify the user once he has logged in, for the duration of a session
  • user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration
  • multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session
  • load‑balancing cookies, for the duration of session
  • user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)
  • third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

 

 

So you might not really need all those effort to disable sessionid;-)