Browser cookies are used in dotCMS in several ways to help you recognize repeat users and provide a personalized browsing experience based on identified user preferences. Within dotCMS, different applications set different cookies. dotCMS sets some, the Application server (e.g. Tomcat) sets some, and in addition users can set their own cookies for their own pages or sites.
dotCMS Cookies
dotCMS uses cookies to identify unique users visiting your site, track the number of site visits, and maintain session information for authenticated users. The following sections describe the cookies created by dotCMS, depending on how users access your site.
Front-End Sessions
The following cookies are created and managed by dotCMS for all sessions (both front-end and back-end):
| Cookie | Session | Description | Expiration |
|---|---|---|---|
dmid | No | Identifies a unique site visitor over multiple site visits. Used for Personalization. | 5 years |
opvc | Yes | Once-Per-Visit-Cookie. Re-generated each time a user visits your site. | Single session |
sitevisitscookie (or svc) | No | Tracks the number of times a user has visited your site. Relies on the dmid to track the unique user. | 5 years |
JSESSIONID | Yes | Conventional java application server cookie created when a user accesses a dotCMS page or the dotCMS backend. Used for storing visitor context such as langauge id and site visit information. | Single session |
The cookies dmid, opvc and sitevisitscookie are set automatically by dotCMS, and there are currently no switches to disable these cookies. A cookie-stripping tool which works at the JavaScript level will not be able to prevent the setting of these cookies, because the cookies are not set in JavaScript. These might be able to be stripped by some other tools, but otherwise would probably need to be stripped either at the load balancer or using a plugin.
Back-End Sessions
The following additional cookies are created by dotCMS for back-end access:
| Cookie | Session | Description | Expiration |
|---|---|---|---|
DWRSESSIONID | Yes | Created when a user successfully authenticates on the dotCMS backend, specifically used for AJAX and XHR request. | Single session |
rme | Yes/No | Created when a user logs into the backend when JWT authentication is enabled. If a user clicks “Remember Me” when logging in, this cookie will be long lived. Otherwise, it is a session cookie. (Note: Cookie was access_token prior to dotcms 24.07.19.) | Configurable * (Default = 14 days) |
* = The expiration for the rme cookie can be set using the json.web.token.days.max.age configuration property. For more information, please see the Authentication Using JWT documentation.
Custom Cookies
You may create additional cookies of your choice and access the value of any dotCMS or application server cookies using the CookieTool Velocity viewtool. This tool allows you to use Velocity code to create cookies and set and retrieve cookie values, so you can track specific user behavior or modify what content you deliver to your users depending on your specific needs.
Application Server Cookies
In addition to the cookies created by the dotCMS application, your application server itself may generate additional cookies. For example, the Tomcat application server that ships with the default dotCMS distribution creates a JSESSIONID session cookie for all front-end users.
For more information on cookies used by your application server, please see your application server documentation.
Cookie Configuration Properties
Three configuration properties in the dotmarketing-config.properties file control how the settings of flags in dotCMS cookies:
COOKIES_HTTP_ONLY=false
# values: never|always|https
COOKIES_SECURE_FLAG=never
COOKIES_SESSION_COOKIE_FLAGS_MODIFIABLE=true
Note:
- It is strongly recommended that all changes to the dotmarketing-config.properties file be made through a properties extension file.
