Cookies

  • Latest Dynatrace
  • 8-min read

Apart from HTTP requests and headers, Dynatrace Real User Monitoring (RUM) also relies on browser cookies to correlate user interactions in the browser, such as user actions, with general page and backend performance metrics.

Dynatrace uses cookies to:

  • Monitor website performance
  • Analyze website usage
  • Track user behavior

The data stored in cookies doesn't contain any personal or sensitive data. The data stored in cookies is made up of random values, timestamps, and data that is required to identify the applications in your monitored environment correctly.

Dynatrace cookies

The following tables provide an overview of cookie usage in Dynatrace. These are all first-party cookies.

Note that if you use Dynatrace to monitor your own customers' websites, you can reuse the cookie information detailed in the tables below for your organization's cookie policy.

Dynatrace RUM cookies

1

For details, see RUM cookie names.

2

The rxVisitor cookie is permanent only when the Use persistent cookies for user tracking option is turned on.

Dynatrace web UI cookies

The table below contains cookies placed in the Dynatrace web UI for single sign-on (SSO). Depending on the infrastructure provider used, Dynatrace might place additional cookies, for example, AWSALB and AWSALBCORS.

Dynatrace web server cookies

Dynatrace cookies are essential for leveraging all the benefits of Real User Monitoring, so Dynatrace usually creates these tracking cookies automatically. However, to ensure your end users' privacy, you might want to provide them with an opportunity to accept or decline the usage of Dynatrace cookies. This is called opt-in mode.

If your users decline the usage of Dynatrace cookies, Real User Monitoring won't work to its full potential.

When cookie opt-in mode is enabled, RUM is turned off by default, and Dynatrace sets no cookies. When an end user accepts your cookie policy, RUM is enabled by calling dtrum.enable() within the RUM JavaScript. Following this method invocation, Dynatrace creates the tracking cookies and activates RUM.

For details on enabling opt-in mode, see Configure data privacy settings for web applications.

When a lot of cookies are in use, some browsers delete a few cookies arbitrarily. To avoid losing data from such deleted cookies, Dynatrace stores backups of all cookies. When the Use persistent cookies for user tracking option is enabled in your environment or application settings, this backup is stored in localStorage. Otherwise, it's stored in sessionStorage.

Dynatrace stores backups of the following cookies:

  • rxVisitor
  • rxvisitid
  • rxvt
  • dtsrNOSR 1
1

Session Replay Contains the severity of the latest "reason for no Session Replay" message and visitId.

The backup of dtCookie is always stored in sessionStorage, and the backup of ruxitagentjs_<appid or empty>_Store is always stored in localStorage.

dtsrNOSR is stored in localStorage.

Dynatrace also uses localStorage to cache the last monitor beacon response, which contains the RUM JavaScript configuration.

Secure cookies

You can add the Secure cookie attribute to all Dynatrace cookies. By applying this attribute on the Set-Cookie header, you ensure that browsers send these cookies only over secure connections.

Before enabling the Secure cookie attribute, make sure that your application is completely served over secure connections.

To set the Secure cookie attribute

  1. Go to Web.
  2. Select the application that you want to configure.
  3. In the upper-right corner of the application overview page, select More () > Edit.
  4. From the application settings, select Injection > Cookie.
  5. Turn on Use the Secure cookie attribute for cookies set by Dynatrace.

Dynatrace cookies don't support the HttpOnly attribute. HttpOnly cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies.

Cookies must be included with each request so that Dynatrace can correlate user action and backend performance data. If, in such cases, you use the Secure cookie attribute, it might lead to a loss of visibility into any unencrypted HTTP communication.

SameSite cookies

You can find a great explanation of the SameSite cookie attribute on the web.dev site.

To set the SameSite cookie attribute

  1. Go to Web.
  2. Select the application that you want to configure.
  3. In the upper-right corner of the application overview page, select More () > Edit.
  4. From the application settings, select Injection > Cookie.
  5. Select the desired SameSite attribute value: None, Lax, or Strict.

If your applicable data privacy law requires you to reduce the lifetime of permanent cookies, you can use a custom configuration property to reduce the lifetime of our permanent rxVisitor cookie.

  1. Go to Web.

  2. Select the application that you want to configure.

  3. In the upper-right corner of the application overview page, select More () > Edit.

  4. From the application settings, select Capturing > Custom configuration properties.

  5. Select Add a custom configuration property and enter the rvcl=[<time-in-months>, 1-24] key-value pair to set your desired cookie lifetime value.

    Indicate the time in months (up to 24). For example, rvcl=12 is 12 months. If custom properties are already configured, append this setting after the | character.

To get to know about automatic cookie domain determination and learn how to set the cookie placement domain, see Configure the RUM cookie domain for web applications.

A <cookie_suffix> is added to the cookie name for environments created in Dynatrace version 1.294+. The full cookie names can be retrieved using the API as described in RUM cookie names API - GET cookie names. To find them in the web UI

  1. Go to Web.
  2. Select the application that you want to configure.
  3. In the upper-right corner of the application overview page, select More () > Edit.
  4. From the application settings, select Injection > Cookie.
  5. The cookie names are displayed on the top of the page.