• Home
  • How to use Dynatrace
  • Data privacy and security
  • Data privacy
  • Cookies

Cookies

Apart from HTTP requests and headers, Dynatrace Real User Monitoring (RUM) also relies on browser cookies to correlate user interactions in the browser, such as user actions, with general page and backend performance metrics.

Dynatrace uses cookies to:

  • Monitor website performance
  • Analyze website usage
  • Track user behavior

The data stored in cookies is made up of random values, timestamps, and data that are required to correctly identify the applications in your monitored environment.

Dynatrace cookies

The following tables provide an overview of cookie usage in Dynatrace. These are all first-party cookies.

Note that if you use Dynatrace to monitor your own customers' websites, you can reuse the cookie information detailed in the tables below for your organization's cookie policy.

Dynatrace RUM cookies

Migration to the most recent dtCookie format

Starting with Dynatrace version 1.215, the application overview page shows a call-to-action card that allows you to check the versions of your deployed OneAgents. Updating OneAgents to version 1.167+ is a prerequisite for the migration to our most recent dtCookie format. Migration happens when you switch to the newest beacon protocol or automatically with Dynatrace version 1.234. With this version, all prior dtCookie formats have reached their end of life.

CookieStructureExpiresMax sizePurpose

dtCookie1

v4 session state:
v_4_key1_value1_key2_value2_keyN_valueN

Possible keys include:

  • srv
  • sn
  • mvisitor
  • msn
  • perc
  • ol
  • mul
  • app:<appID>

v4 example:
v_4_srv_7_sn_4D3133F359A76AB05AAF39691696858A

Session

No set limitation, but usually less than 100 B

Tracks a visit across multiple requests.

dtLatC

<numeric value>

Session

5 B

Measures server latency for performance monitoring.

dtPC

<serverID>$<randomValue>_<currentMillis>v<randomValue>e<eventCount>

Session

58 B

Required to identify proper endpoints for beacon transmission; includes session ID for correlation.

dtSa

<URL-encoded action name>

Session

Max number of characters in the URL

Serves as an intermediate storage for page-spanning actions. This cookie is used to save user action names, such as Click on Login, across different pages. This is required because page loads result in JavaScript code restart, so all contextual information must be stored in cookies.

dtValidationCookie

The dTValidationCookieValue string.

Deleted after a few milliseconds; no expiry date set

Length of dTValidationCookieValue string, that is 23

Used to determine the top-level domain.

dtDisabled

<true>

Session

4 B

Determines if the RUM JavaScript should be deactivated due to cost and traffic control or overload prevention.

rxVisitor

<visitorID>

Session or permanent2

45 B

Contains the visitor ID to correlate sessions.

rxvt

<timestamp>|<timestamp>

Session

27 B

Specifies the session timeout.

1

Dynatrace version 1.234+. For earlier versions, see Legacy dtCookie formats before Dynatrace version 1.234.

2

The rxVisitor cookie is permanent only when Use persistent cookies for user tracking option is turned on.

Legacy dtCookie formats before Dynatrace version 1.234
CookieStructureExpiresMax sizePurpose

dtCookie

One of the following:

  • =3=key1=value1=key2=value2=keyN=valueN
  • value$value|key1|value1|key2|value2|keyN|valueN

Possible keys include:

  • srv
  • sn
  • mvisitor
  • msn
  • perc
  • ol
  • mul
  • app:<appID>

Session

No set limitation, but usually less than 100 B

Tracks a visit across multiple requests.

Dynatrace web UI cookies

The table below contains cookies placed in the Dynatrace web UI for single sign-on (SSO). Depending on the infrastructure provider used, Dynatrace might place additional cookies, for example, AWSALB and AWSALBCORS.

CookieExpiresPurpose

b925d32c

Session

Indicates if a user is logged in or not.

ssoCSRFCookie

Session

Serves as cross-site request forgery (CSRF) protection when moving between servlets in SSO.

p23mn32t

5 years

Contains a unique Base32 identifier that indicates to SSO that a user is logging in from a new device. The identifier is created based on the user login, browser, and user agent.

l34kn6no

Session

Stores the OpenID state when SSO acts as a relying party, for example, for signing in with Microsoft using OpenID.

iu2g34bw

Session

Stores the OpenID code_verifier when SSO acts as a relying party, for example, for signing in with Microsoft using OpenID.

a69k21bb

Session

Stores redirect_uri upon successful sign-in when SSO acts as a relying party, for example, for signing in with Microsoft using OpenID.

cgq80xhu

Session

Contains an SHA-256 hash of a random UUID. When a user signs in via OpenID, this cookie is used to track the session state via the SSO OpenID iFrame and perform front-end logout if necessary.

72ddbc27

3 months

Added when a user selects the Remember me option to store their credentials. Thanks to this option, the user doesn't have to provide their credentials again when the session expires, and the user is logged in automatically.

kj76fg4h

5 minutes

Prevents the user from becoming stuck following a failed federated login if the user selected the Remember me option to store their credentials. If the user is signed in, this cookie is deleted.

Dynatrace web server cookies

CookieExpiresPurpose

SRV

1 hour

Load balancer (HA Proxy) session stickiness.

apmsessionid

Session

Web server session cookie.

Cookie opt-out capability

Dynatrace cookies are essential for leveraging all the benefits of Real User Monitoring, so Dynatrace usually creates these tracking cookies automatically. However, to ensure your end users' privacy, you might want to provide them with an opportunity to accept or decline the usage of Dynatrace cookies. This is called opt-in mode.

If your users decline the usage of Dynatrace cookies, Real User Monitoring won't work to its full potential.

When cookie opt-in mode is enabled, RUM is turned off by default, and Dynatrace sets no cookies. When an end user accepts your cookie policy, RUM is enabled by calling dtrum.enable() within the RUM JavaScript. Following this method invocation, Dynatrace creates the tracking cookies and activates RUM.

For details on enabling opt-in mode, see Configure data privacy settings for web applications.

Cookie storage

When a lot of cookies are in use, some browsers delete a few cookies arbitrarily. To avoid losing data from such deleted cookies, Dynatrace stores backups of all cookies. When the Use persistent cookies for user tracking option is enabled in your environment or application settings, this backup is stored in localstorage. Otherwise, it's stored in sessionstorage.

Dynatrace stores backups of the following cookies:

  • rxVisitor
  • rxvisitid
  • rxvt
  • rxec

The backup of dtCookie is always stored in sessionStorage, and the backup of ruxitagentjs_<appid or empty>_Store is always stored in localstorage.

Dynatrace also uses localStorage to cache the last monitor beacon response, which contains the RUM JavaScript configuration.

Secure cookies

You can add the Secure cookie attribute to all Dynatrace cookies. By applying this attribute on the Set-Cookie header, you ensure that browsers send these cookies only over secure connections.

Before enabling the Secure cookie attribute, make sure that your application is completely served over secure connections.

To set the Secure cookie attribute

  1. In the Dynatrace menu, go to Web.
  2. Select the application that you want to configure.
  3. In the upper-right corner of the application overview page, select More (…) > Edit.
  1. From the application settings, go to Capturing > Advanced setup.
  1. Scroll down to Cookie and header settings, and turn on Use the Secure cookie attribute for cookies set by Dynatrace.

Dynatrace cookies don't support the HttpOnly attribute. HttpOnly cookies are inaccessible to JavaScript, so the RUM JavaScript cannot set and modify such cookies.

Cookies must be included with each request so that Dynatrace can correlate user action and backend performance data. If, in such cases, you use the Secure cookie attribute, it might lead to a loss of visibility into any unencrypted HTTP communication.

SameSite cookies

You can find a great explanation of the SameSite cookie attribute on the web.dev site.

To set the SameSite cookie attribute

  1. In the Dynatrace menu, go to Web.
  2. Select the application that you want to configure.
  3. In the upper-right corner of the application overview page, select More (…) > Edit.
  1. From the application settings, go to Capturing > Advanced setup.
  1. Scroll down to Cookie and header settings, and select the desired SameSite attribute value: None, Lax, or Strict.

rxVisitor cookie lifetime

If your applicable data privacy law requires you to reduce the lifetime of permanent cookies, you can use a custom configuration property to reduce the lifetime of our permanent rxVisitor cookie.

  1. In the Dynatrace menu, go to Web.
  2. Select the application that you want to configure.
  3. In the upper-right corner of the application overview page, select More (…) > Edit.
  1. From the application settings, go to Capturing > Advanced setup.
  1. Scroll down to JavaScript library.
  2. Under Custom configuration properties, add the rvcl=[<time-in-months>, 1-24] key-value pair to set your desired cookie lifetime value. Indicate the time in months (up to 24). For example, rvcl=12 is 12 months. If custom properties are already configured, append this setting after the | character.

Cookie placement domain

To get to know about automatic cookie domain determination and learn how to set the cookie placement domain, see Configure the RUM cookie domain for web applications.