How HTTP cookies are being used in Liferay Portal 6.2

• What are cookies:

  • HTTP cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. 

    Typical types of information stored in cookies are session Identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. 

• Liferay stores two different types of cookies as follows:

  • Session cookies:

    Only live in the browser's memory, and never stored anywhere. When the browser closes, the cookie is permanently lost from this point on. Hence it gets destroyed when the browser session ends.

  • Persistent cookies: 

    Stored on the browser's hard drive. By default, Liferay sets the max-age of the cookies at one year.  

    Note: One year is the max-age for these cookies, this doesn't mean these cookies will last for one year. These cookies actually will live as long as the browser. But "REMEMBER_ME" will last for one year if the user doesn't uncheck "Remember me". 

  • All cookies are set by the server via the Set-Cookie HTTP Header. A browser knows to store that cookie as a persistent cookie when it finds the keyword 'Expires=' followed by a date in the future. If there is no 'Expires=' tag, or if the specified date has already passed, then the browser will keep the cookie in browser memory only as a session cookie.

• List of cookies Liferay has set

  • COOKIE_SUPPORT:

    • It is a boolean value, tells the portal if cookies are enabled or not.

    • Persistent type of cookie

    • By default, the property "session.test.cookie.support=true" is present in portal.properties file to test whether users have cookie support before allowing them to sign in

  • LFR_SESSION_STATE_userId:

    • Used for user session identification, user authentication, remembering user language preference, and managing user sessions. The last cookie "LFR_SESSION_STATE_10196" is user session, 10196 is current userId. It is the state of the current session, the value is the date-time of login.

    • Session type of cookie

    • Origin from "session.js"

    • Expires when the browser session ends 

  • GUEST_LANGUAGE_ID:

    • Used to specify the language. It is the guest's language ID.

    • Persistent type of cookie

  • COMPANY_ID:

    • Unique identifier for the visitor's company. It's the ID of the current instance.

    • Session type of cookie if the user unchecks the “Remember me” option.

    • The default expiration value of cookies is one year when the user checks the “Remember me” option.

  • ID:

    • It is encrypted userId.

    • Session type of cookie if the user unchecks the "Remember me" option.

    • The default expiration value of cookies is one year if the user checks the “Remember me” option.

  • USER_UUID:

    • It is an encrypted user UUID.

    • The default expiration value of cookies is one year if the user checks the "Remember me" option.

    • Session type of cookie if the user unchecks the “Remember me” option.

  • LOGIN:

    • It is encrypted login authenticate info, default authenticate type is an email address. So this cookie is encrypted of the user email address.

    • This cookie would be stored if the user checks the “Remember me” option.

    • The default expiration value of cookies is one year

  • PASSWORD:

    • It is an encrypted password.

    • This cookie would be stored when the user checks the "Remember me" option and the default expiration value of cookies is one year.

  • REMEMBER ME:

    • This cookie would be stored when the user checks the "Remember me" option.
    • By default, it is a boolean value i.e., true.
    • The default expiration value of cookies is one year.

  • SCREEN_NAME:

    • It is an encrypted screen name.

    • The default expiration value of cookies is one year 

  • JSESSIONID:

    • JSESSIONID is an ID generated by Servlet containers like Tomcat or Jetty and used for session management in the J2EE web application for HTTP protocol.

    • The ID is sent to the client either within a cookie (default) or as part of the URL (called URL rewriting, used only if cookies are disabled on the browser).

    • JSESSIONID expires a session, that means when the session expires or the browser is closed or the user logout, JSESSIONID will expire.

    • Session type of cookie

Key Note:

1. The difference in the "type of cookie" is determined by whether the user checks/unchecks the "Remember me” option while logging in.
2. "The default expiration value of cookies is one year": While this value is one year by default, it can be modified in portal-ext. properties file via the following:

   property:company.security.auto.login.max.age=31536000

   A value of 31536000 signifies a lifespan of one year (in number of seconds). Also, set this to the maximum age (in a number of seconds) of the browser cookie that enables the "remember me" feature.
   Adjusting this value will modify the expiration date of all cookies relating to the authenticated session (PASSWORD, LOGIN, ID, etc.). This functionality gives the ability for users to stay logged in for longer periods of time without needing to re-authenticate.

• Also to control third-party cookies, you can adjust your browser settings. However, doing so will likely mean that our site might not work as you would expect. 

  • For example, Liferay Marketplace portlet is unable to load the Store and other Marketplace pages if 3rd party cookies are enabled. There is a Marketplace Unavailable error message after a while. This happens on Liferay 6.2 EE

  • Feature request for reference: https://issues.liferay.com/browse/LPS-45325

• For a note on preventing these cookies from occurring, see Additional Information in: List of Cookies that are Affected at Liferay Login
• See also: How HTTP Cookies are Being used in Liferay DXP 7.0+