Jive and Cookies

Jive uses HTTP cookies in several places in the application to provide a better user experience.

Jive does not set third-party cookies as part of the core product offering; however, it is possible for you to configure the application so that third-party cookies are set. For example, you can configure the application to use a Web-tracking tool such as Google Analytics or Webtrends, each of whom may set a third-party cookie.

Jive does not set the "domain" attribute of an HTTP cookie.

Starting with Jive version 4.5.7, all Jive cookies that are set by the server (not via the client or browser) have the HttpOnly flag.

Setting Up Secure Cookies

Out of the box, Jive is not configured to set the "secure" attribute for cookies that should only be sent via HTTPS connections. You can configure Jive to send only allowed, secure cookies through the following process:
  1. Set the Jive system property "jive.cookies.secure" to the value "true". This results in all Jive-specific cookies (not including JSESSIONID) having the "secure" attribute set on the cookie (Admin Console: System > Management > System Properties).
  2. Configure both Apache and Tomcat to only allow HTTPS connections. To understand these configurations, see Forcing Traffic to HTTPS and Enabling SSL Encryption.
  3. Finally, configure Tomcat with the "secure" attribute set to "true" in the server.xml configuration file, specifically the "server/connector" element.

How Jive Sets Cookies

Jive performs an audit by searching for all instances of "setCookie" in the source code, and then sets the following cookies.
Note: Except where noted, all of the following cookies do not contain user-identifiable information. This behavior meets European Union privacy laws.
SPRING_SECURITY_REMEMBER_ME_COOKIE
This cookie is used on the front-end as part of the security authentication process to denote whether or not the user wants to have their credentials persist across sessions. It is part of the Spring Security specification; details are available here.
  • Possible values: string, the Base64 encoded username and expiration time combined with an MD5 hex hash of the username, password, expiration time, and private key.
  • Expiration: defaults to 14 days.
  • Encryption: none. This is an MD5 hex hash.
  • Example: SPRING_SECURITY_REMEMBER_ME_COOKIE="YWFyb246MTMxNTU4MjUzNTI3MDoyZDUyODNmZjhhNjExZTdlMTcyMGZhYjVhNWNkNjI0Yg"
JSESSIONID
This cookie is used on the front-end and the Admin Console to identify a session. It is part of the Java Servlet specification.
  • Possible values: string, the unique token generated by Apache Tomcat.
  • Expiration: at session end.
  • Encryption: none.
  • Example: JSESSIONID="1315409220832msB9E3A98AA1F2005E61FA975963FA4D12.node01"
jive.security.context
This cookie is the authentication context for the user.
  • Possible values: the user's encrypted security context.
  • Expiration: 30 minutes unless refreshed. Same as the standard servlet container session timeout.
  • Encryption: AES 256.
  • Example: jive.security.context="SdRw2i/HXoh1+LwTBLFy3Q==.MzA3OQ=="
jive.server.info
This cookie is used on the front-end in combination with Content Distribution Networks (CDN) like Akamai to associate the user with a specific server (also known as "session affinity").
  • Possible values: string, a combination of the serverName, serverPort, contextPath, localName, localPort, and localAddr.
  • Expiration: at session end.
  • Encryption: none.
  • Example: jive.server.info="serverName=community.example.com:serverPort=443:contextPath= :localName=localhost.localdomain:localPort=9001:localAddr=127.0.0.1"
jive.user.loggedin
This cookie is used on the front-end in combination with Content Distribution Networks (CDN) to denote the status of the current request.
  • Possible values: string, true if the current request originates from a browser where the user is logged in.
  • Expiration: at session end.
  • Encryption: none.
  • Example: jive.user.loggedin="true"
jive_wysiwygtext_height
This cookie is used on the front-end to persist the height of the editor window across sessions.
  • Possible values: integer, the height in pixels of the editor after the user chooses to expand the editor window.
  • Expiration: one year.
  • Example: jive_wysiwygtext_height="500"
jive_default_editor_mode
This cookie is used on the front-end for guest/anonymous users who choose to use an editor mode other than the default editor mode.
  • Possible values: string, advanced.
  • Expiration: 30 days.
  • Encryption: none.
  • Example: jive_default_editor_mode="advanced"
clickedFolder
This cookie is used in the Admin Console to persist the open/closed status of the current folder as used in various tree-view portions of the Admin Console.
  • Possible values: string, true, or false.
  • Expiration: at session end.
  • Encryption: none.
  • Example: clickedFolder="true"
highlightedTreeviewLink
This cookie is used in the Admin Console to persist the current folder as used in various tree-view portions of the Admin Console.
  • Possible values: integer, the DOM ID of the clicked folder.
  • Expiration: at session end.
  • Encryption: none.
  • Example: highlightedTreeviewLink="23"
jiveLocale
This cookie is used on the front-end for guest/anonymous users who choose a locale setting.
  • Possible values: string, locale code.
  • Expiration: 30 days.
  • Encryption: none.
  • Example: jiveLocale="en_US"
jiveTimeZoneID
This cookie is used on the front-end for guest/anonymous users who choose a timezone setting.
  • Possible values: string, timezone ID.
  • Expiration: 30 days.
  • Example: jiveTimeZoneID="234"
jive-cookie
This cookie is used in the Admin Console to temporarily persist an encrypted username/password when creating a bridge between two sites. The information in the cookie is first encrypted with AES/256 encryption and then Base64 encoded.
  • Possible values: string, Base64 encoded, encrypted username/password of remote site.
  • Expiration: at session end.
  • Encryption: yes.
  • Example: jive-cookie="YWFyb246MTMxNTU4MjUzNTI3MDoyZDUyODNmZjhhNjExZTdlMTcyMGZhYjVhNWNkNjI0Yg"
jive.user.lastvisited
This cookie is used on the front-end to store the last time the user visited the site.
  • Possible values: long, value in milliseconds that represents the time of the login.
  • Expiration: 30 days.
  • Encryption: none.
  • Example: jive.user.lastvisited="1315292400000"
linkedin_oauth_
This cookie is used to communicate and authenticate with LinkedIn.
Parent topic: Jive Security

Powered by Jive Software
© 1999-2013 Jive Software. All rights reserved. Follow us on Twitter @JiveSoftware