Cookies#

The Curity Identity Server uses cookies for some of its basic functionality. For this reason, it is not possible to completely disable cookies.

However, to provide a richer User Experience, the Server may use a few non-essential cookies, which may go against regulations in certain regions unless explicitly consented to by the end user.

For this reason, it is possible to disable non-essential cookies, or only enable them if the user explicitly consents to that. This page shows how to do that.

The Authentication Service uses a cookie generally referred to as the username cookie (though it is used to keep not only the username, but also a few user preferences, like Locale).

It is possible to completely disable that cookie in the Authentication Service configuration.

If not disabled in configuration, the username cookie is considered a non-essential cookie, and as such, may still be disabled by the end user.

Requiring user opt-in for non-essential cookies#

Instead of disabling non-essential cookies completely, it is also possible to only enable them if the end user explicitly consents to them.

This behaviour can be configured in the environment configuration by setting the non-essential-cookies-are-opt-in flag to true (the default is false).

After enabling that, the Curity Identity Server will no longer set non-essential cookies, except if the end user has consented to it explicitly.

Notice that even if the non-essential-cookies-are-opt-in configuration is false (the default), the user can still opt-out of non-essential cookies as described below.

How end users consent to non-essential cookies is not defined by Curity. We expect that most deployments will already have such functionality available (e.g. by showing cookie banners to users when they first access the domain).

To let the Curity Identity Server know about user consent requires setting a cookie called non-essential-cookie-consent. Only the value true, case-insensitive, is accepted as “yes”, any other value is considered “no”.

That can be done in JavaScript, for example, as shown below (assumes the max-age is stored in variable maxAgeSeconds).

setting the cookie to express user consent for non-essential cookies.

document.cookie = `non-essential-cookie-consent=true; Path=/; Max-Age=${maxAgeSeconds}; SameSite=Lax; Secure`

You can also handle this cookie on your reverse proxy, or by any other means. The Curity Identity Server only reads this cookie and will never set it.

In SDK plugins , it is easy to handle cookie consent with the help of the methods below:

SystemInformationProvider interface:

  • boolean isNonEssentialCookieOptIn()

UserPreferenceManager interface:

  • @Nullable Boolean hasUserConsentedToNonEssentialCookies()
  • boolean isNonEssentialCookieAllowed()

Deleting the username on logout#

It is possible to configure an Authentication Service to automatically delete the username cookie on logouts, via the delete-username-cookie-on-logout configuration setting. By default, this cookie is not deleted during logouts.

Was this helpful?