Cookies and web storage for RUM and Session Replay
- Latest Dynatrace
- Reference
Dynatrace RUM Classic and the New RUM Experience rely on HTTP headers, cookies, and web storage. The headers used are listed in Firewall constraints for the New RUM Experience. This page describes the cookies and web storage entries used.
Cookies and web storage are used for the following purposes:
- Aggregation of user sessions
- Identification of recurring users
- Persisting the state of RUM features like cost and traffic control
- Correlation of user actions with their server-side traces in RUM Classic
- Keeping the Session Replay recording consistent across pages
The data stored in cookies and web storage doesn't contain any personal or sensitive data. It consists of random IDs, timestamps, boolean flags and configuration.
Cookies
The following table provides an overview of the cookies used in RUM and Session Replay. These are all first-party cookies.
The <suffix> used in the table is explained in Suffix for cookie names and web storage keys.
| Cookie | Structure | Expires | Max size | Purpose |
|---|---|---|---|---|
| v4 session state:
v_4_key1_value1_key2_ Possible keys include:
v4 example:
v_4_srv_7_sn_4D3133F359A76A | Session | No set limitation, but usually less than 100 B | Tracks a visit across multiple requests. |
| <serverID>$<randomValue>_<currentMillis> | Session | 58 B | Required for routing RUM beacons; includes session ID for user session aggregation. |
| <URL-encoded action name> | Session | Max number of characters in the URL | Serves as an intermediate storage for page-spanning actions. This cookie is used to save user action names, such as |
| The string | Deleted after a few milliseconds; no expiry date set | Length of the string | Used to determine the top-level domain. |
| <visitorID> | Session, or permanent if user tracking is turned on | 45 B | Contains the visitor ID to correlate sessions. |
| <timestamp>|<timestamp> | Session | 27 B | Stores the session timeout. |
| <viewID> | Session | 20 B | If Session Replay is enabled, |
| v4 format Possible keys:
Example: v_4_rfnsr_150_vid_CFEOMVJRAQLDWHDQPLMORLTRGUFRLFUM-0_st_1_vwid_1764935792511 | Session | 81 B | If Session Replay is enabled, stores the required values to keep the recording consistent across pages. |
The dtsrVID cookie exists from RUM JavaScript version 1.325+ to RUM JavaScript version 1.333.
The optional dtSR cookie is available from RUM JavaScript version 1.335+.
Configure cookie attributes
Dynatrace RUM does not support the HttpOnly attribute. Since HttpOnly cookies are inaccessible to JavaScript, the RUM JavaScript cannot read or modify them. Ensure that your infrastructure doesn't add the HttpOnly attribute, because this will break monitoring.
If your company's security policy requires the Secure and SameSite cookie attributes, you need to configure RUM to set them, since they aren't set by default; see Configure RUM cookie attributes in the New RUM Experience.
Web storage
RUM and Session Replay use both sessionStorage and localStorage. The following table lists the possible entries. Some of them back up RUM and Session Replay cookies, because browsers may evict cookies when a large number of them are set.
| Key | Storage | Purpose |
|---|---|---|
| Stored in | Backs up the |
|
| Backs up the session ID from the |
|
| Backs up the |
|
| Backs up the |
|
| Backs up the |
|
| Stores the last beacon response, which contains the RUM JavaScript configuration. |
|
| Indicates that persistent values were removed by using the API method |
|
| Stores the severity of the latest "reason for no Session Replay" message and the |
| By default in | Stores the values required to keep the recording consistent across pages when Session Replay is enabled. Exists from RUM JavaScript version 1.335. |
|
| Stores the current tab ID for Session Replay. |
|
| Boolean flag for Session Replay that indicates whether a window was opened programmatically recently. |
Web storage for the New RUM Experience
When the New RUM Experience is enabled, the web storage entries in the following table are persisted in addition to the ones listed in Web storage.
| Key | Storage | Purpose |
|---|---|---|
|
| Identifies the browser tab. |
|
| Stores the current frontend configuration from the beacon response. |
Suffix for cookie names and web storage keys
In environments created in Dynatrace version 1.294+, a suffix is added to cookie names and to the keys of certain web storage entries. In the tables above, this suffix is shown as <suffix>. It prevents interference when different Dynatrace environments have overlapping cookie domains.
If you need the full cookie names to configure your firewalls and other infrastructure, you can retrieve them using the API endpoint RUM cookie names API - GET cookie names. To find them in the UI
- Go to
Experience Vitals > Overview. - Select Web to view all web frontends.
- Select the frontend you want to configure.
- On the Settings tab, select
Open in Settings. - Go to Collect and capture > Frontend > Injection > Cookie.
- The cookie names are displayed on the top of the page.
Allow users to opt in to cookies and web storage
Dynatrace cookies and web storage are required for Real User Monitoring to work. By default, Dynatrace creates them automatically. To protect your end users' privacy, you can give them the option to accept or decline cookies, web storage, and monitoring in general. This is done through opt-in mode.
When opt-in mode is enabled, RUM is disabled by default. As a result, Dynatrace sets no cookies and does not use web storage. After an end user accepts your data privacy policy, your application must call dtrum.enable() through the JavaScript API to start capturing data. Dynatrace creates cookies and writes to web storage only after this method is called.
For details on enabling opt-in mode, see Configure data privacy settings for web frontends.
If users do not opt in, Real User Monitoring remains disabled.