Cookies overview
Introduction
What is a cookie?
Cookies are small text files that are stored on the contact’s computer and are created when the contact visits a page. Cookies are like virtual keys that unlock a memory and allow a website to recognize the contact when he returns. Cookies are often indispensable for websites or applications to work correctly.
Session versus persistent cookies
A session cookie allows a contact to be recognized when navigating from one page to another. Without cookies there is no memory and every time the contact changes page, the contact is treated as a new visitor. Session cookies are only available within one and the same session and are deleted when leaving the session. A session cookie is never stored on the hard drive.
Persistent cookies remain a lot longer on the contact’s computers, depending on the setting of the cookie. These cookies are re-activated and consulted once the contact revisits the page that created it.
Persistent cookies are mostly used to remember your information and settings for future visits. This results in faster and more convenient access. Example: the contact does not have to log on again at the next visit. A persistent cookie is stored on the hard drive.
First party versus third party cookies
All cookies have an owner that tells who the cookie belongs to. The owner is the domain specified in the cookie. First party cookies are set with the same domain as the URL displayed on the browser's address bar. Third party cookies are set with domains different from the one on the address bar.
So, for example, if you visit www.widgets.com and the domain of the cookie placed on your computer is www.widgets.com, then this is a first-party cookie. If, however, you visit www.widgets.com and the cookie placed on your computer says www.stats-for-free.com, then this is a third-party cookie.
Overview
Below is an overview of the different applications and the use of cookies by these applications.
Engage Portal
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| __RequestVerificationToken | Session First-party |
session | Anti XSS token | Whenever a form is used in the portal | No | Engage Portal will not work if disabled |
| __Secure-SmcPortal_Gate-X | Session First-party |
session | authentication data | on authentication | no | impossible to login |
| __Secure-SmcPortal_Gate-X_SessionId | Session First-party |
session | Session id | on visit | no | impossible to login |
| SERVERIDpe | Session First-party |
session | server id | on visit | no | no perceived impact. Engage is designed fir non-stickiness |
| b1p1 | Session First-party |
session | server id | on visit | no | no perceived impact. Engage is designed fir non-stickiness |
Engage Reporting
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| ASP.NET_SimWeb_SessionID | Session First-party |
session |
Simweb session ID |
When visiting a Engage portal page | no | Engage portal will not work if disabled. |
| XSRF-TOKEN | First-party | 24h | XSRF token | On visit | No | CSRF protection will not work |
Front-end modules
The front-end modules do not use any cookies. Email and page tracking is performed through a unique url with hashcodes. A hashcode is a code generated by Engage and includes data on the user and his actions.
Static content (such as images, CSS, jscript) does not require any cookie.
Form (surveys)
The Form module requires a specific first-party cookie to track statistics about the survey taken by the contact. Because the solution has not control over the path followed by the contact to get to the survey and over a consent form being filled out or not, the cookie is by default disabled.
Note that this is from version 5.2. An upgrade is advised if this behavior is required. However, if the contact consents to the use of cookies, it is possible to re-activate the use of the cookie through a configuration change.
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| SVMRID | Persistent First-party |
365 days | A generated GUID | When a survey is visited by the contact | No | If disabled, survey functionality remains. However, custom analysis on the underlying stats table won't work anymore. |
Journeys
Journeys only generates one cookie, when the Shared Storage component is used in the journey. This Shared Storage component is used to define and update variables that can be used throughout one or more journeys. One of the possibilities for such a variable is to store it in a cookie. It is the user that defines the name and the content for the cookie.
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| Defined in the user interface |
Persistent First-party |
356 days | User generated content | When the Shared storage component is used in a journey and traversed by the contact in his online path through the journey | Depends on the use of the Shared Storage component | Shared Storage won't work. |
OptiExtension: Cross Site Request Forgery
CSRF is a type of malicious exploit whereby unauthorized commands are transmitted from a trusted user. The solution allows protection against CSRF.
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| CR |
Persistent First-party |
356 days | Encoded validation token which is cross validated with a hidden form value. The token is valid for 30 minutes. | When forms, created in the editor, are used in a journey. | Yes. By setting the CSRF_Protect to true. By default this behavior is not enabled. |
CSRF won't work when de-activated. |
Content Rendering
Content rendering is used when pages are rendered within the existing customer website. This guarantees the same corporate look and feel for all pages provided by the solution.
The cookies created depend on the content renderer used. Customers can have their own content renderer with possibly their own cookies. The default ASP.NET content renderer generates the following cookie.
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
|
ASP.NET_SessionID |
Session First-party |
session | SessionID, used by ASP.NET to uniquely identify the user | When the content renderer is used | Yes. By removing it from ASP.NET configuration | No impact when disabled. |
Webtracker
Web tracking allows tracking of contacts that are redirected to an external platform and this to perform follow-up actions or calculate conversion.
When using Webtracker, an additional parameter (called “m_i”) is added to each external hyperlink. This new information contains data about the targeted contact, the email sent and the sensor clicked. The parameter is processed on the external website and creates cookies on the client computer. The system will always try to create first and third party cookies, depending on the settings of the client's computer. However, if possible the Webtracker will always try to use first party cookies, and if this is not possible third party cookies are used.
Now, these cookies are only created when there is an explicit call to the Engage from the customer’s website. Therefore, the website owner is in control of the call and can ensure that this call is only made for contacts that consented to the use of cookies.
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| M_trk |
Persistent First-party> |
365 days | All history information concatenated (versionnbr, time, listid, userid, probeid, actionid, campaignid,clistid,citemid) | When a tracked page is loaded | No | When disabled, it is no longer possible to track contacts and provide reporting on it. |
| M_ttrk | Persistent Third-party |
365 days | All history information concatenated (versionnbr, time, listid, userid, probeid, actionid, campaignid,clistid, citemid) | When a tracked page is loaded | No | When disabled, it is no longer possible to track contacts. Third party cookies are only used when first party cookies are not available. |
| M_ses |
Session First-party |
session | Creation date | When a tracked page is loaded. This cookie represents the current session on the website | No | When disabled, the Webtracker won't be able to recognize new contacts and successfully perform its tracking |
| M_tses | Session First-party |
session | Creation date | When a tracked page is loaded. This cookie represents the current session on the website | No | When disabled, the Webtracker won't be able to recognize new contacts and successfully perform its tracking. Third party cookies are only used when first party cookies are not available |
| M_cnt | Session First-party |
session | Visit count |
When a tracked page is loaded |
No | When disabled, there is no impact on standard Webtracker behavior |
| M_dir | Session First-party |
session | 1 | When a tracked page is loaded and in case the calling url contains an m_i parameter | No | When disabled, Webtracker won't be able to identify whether a direct request is received and whether the contact is identified. |
Marigold Site
The following cookies are written by Site on the contact’s computer.
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| sbt_i | Persistent First-party |
365 days | Unique Site Identifier |
Upon first hit |
No | When disabled, it is no longer possible to track contacts and provide reporting on it. |
| sbt_p | Persistent First-party |
365 days |
Compressed profile information for non-quality profiles with a size less than 4Kb |
While the profile is not a quality profile and its size is less than 4Kb | No | When disabled, it is no longer possible to track contacts. |
| sbt_pi | Persistent First-party |
365 days |
Returned profile information (json) |
Upon request (if the user uses the saveProfileInfo method on the API) | No | When disabled, profile information is only available as a result of the tracking call |
| sbt_dnt | Persistent First-party |
31 days | 1 | When the contact has been opted out using the DSR tool, the Optout field in Engage gets a specific value (20180525). During the nightly sync between Engage and Site , this Optout field will automatically be synced together with all other exposed fields. When the Optout value is filled in, and the visitor identifies themselves on the website, the Do Not Track value will be set to true automatically and no profile data will be tracked. A cookie sbt_dnt is placed to avoid any future tracking. | No | DNT setting will be ignored and a tracking call will be sent upon each request |
|
sb_<universeGUID> |
Persistent Third-part |
12 months |
Unique Site Identifier (GUID for Global Universe Identifier) |
Upon first hit on the universe | No | When disabled, identification of a profile is not possible after deleting first party cookies |
| sbss__<universeGUID> | Persistent Third -party | 12 months | Unique Site Identifier (GUID for Global Universe Identifier) | Upon first hit on the universe | No | When disabled, identification of a profile is not possible after deleting first party cookies |
The following cookie is written by Campaign but is Site related:
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
| sbt_i | Persistent First-party |
365 days |
Unique Site Identifier |
Upon CRM targeting call |
No |
When disabled, it is not possible to identify CRM targeting calls to the correct profile without third party cookies being available |
CDM
| Name | Type | lifetime | Value stored in cookie | Created | Configurable | Consequence if disabled |
|
Initial+site |
Persistent |
As long as no logout has been performed or window closed Session ID + IP |
At login | No |
When removed, the user receives an alert and needs to reconnect |
