• Home
  • How to use Dynatrace
  • Data privacy and security
  • Data privacy
  • Cookies

Cookies

Apart from HTTP requests and headers, Dynatrace Real User Monitoring (RUM) also relies on browser cookies to correlate user interactions in the browser, such as user actions, with general page and backend performance metrics.

Cookies are used to:

  • Monitor site performance
  • Analyze website usage
  • Track user behavior

The data stored in cookies is made up of random values, time stamps, and data that are required to correctly identify the applications in your monitored environment. The RUM JavaScript must be able to set and modify these cookies. This means that Dynatrace cookies don't support the HTTPOnly flag. Cookies must be included with each request so that user actions can be correlated with backend performance.

You can use the Secure cookie flag; however, this leads to loss of visibility into any unencrypted HTTP communication.

Dynatrace cookies

The following table provides an overview of cookie usage in Dynatrace. These are all first-party cookies.

Note that if you use Dynatrace to monitor your own customers' websites, you may reuse the cookie information detailed in the table below for your organization's own cookie policy.

Migration to the new dtCookie format

Starting with Dynatrace version 1.215, the dtCookie format changed as indicated in the table below. Note that the automatic migration to the new dtCookie format will happen in Dynatrace SaaS version 1.233 and Dynatrace Managed version 1.234.

CookieStructureExpiresMax sizePurpose
dtCookie1

v1 session state: value$value|key1|value1|key2|value2|keyN|valueN
v3 session state: =3=key1=value1=key2=value2=keyN=valueN
v4 session state: v_4_key1_value1_key2_value2_keyN_valueN

Possible keys include:

  • srv
  • sn
  • mvisitor
  • msn
  • perc
  • ol
  • mul
  • app:appID

v1 example: 7$4D3133F359A76AB05AAF39691696858A|6553c6d885d99eec|1|b271251279634e2d|1
v2 example: =3=srv=7=sn=4D3133F359A76AB05AAF39691696858A
v3 example: v_4_srv_7_sn_4D3133F359A76AB05AAF39691696858A

sessionNo set limitation but usually less than 100 BTracks a visit across multiple requests.
dtLatCnumeric valuesession5 BMeasures server latency for performance monitoring.
dtPCserverID$randomValue_currentMillisvrandomValueeeventCountsession58 BRequired to identify proper endpoints for beacon transmission; includes session ID for correlation.
dtSa2URL-encoded action namesessionMax number of characters in the URLIntermediate store for page-spanning actions
dtValidationCookieThe dTValidationCookieValue string.Deleted after a few milliseconds, no expiry date set.Length of dTValidationCookieValue string, that is 23Used to determine the top-level domain.
rxVisitorvisitorIDpermanent45 BVisitor ID to correlate sessions
rxvttimestamp|timestampsession27 BSession timeout
1

Dynatrace version 1.215+. For earlier versions, see dtCookie Dynatrace version 1.214 and earlier.

2

The dtSa cookie is used to save user action names, such as Click on Login, across different pages. This is required because page loads result in JavaScript code restart, so all contextual information must be stored in cookies.

dtCookie Dynatrace version 1.214 and earlier
CookieStructureExpiresMax sizePurpose
dtCookie

v_4_key1_value1_key2_value2_key3_value3 or
=3=key1=value1=key2=value2=keyN=valueN
Possible keys include:

  • srv
  • sn
  • mvisitor
  • msn
  • perc
  • ol
  • mul
  • app:appID
sessionNo set limitation, but usually less than 100 BTracks a visit across multiple requests.

Cookie opt-out capability

Dynatrace cookies are essential for providing you with all the benefits of Real User Monitoring. If you provide your users with the option to decline the use of these cookies, Real User Monitoring won't work to its full potential.

To provide your end users with a cookie opt-out capability, Dynatrace must be configured appropriately. Usually Dynatrace creates tracking cookies automatically. When using cookie opt-in mode, Dynatrace RUM tracking is disabled by default and no cookies are created. When an end user accepts your cookie policy (opt-in mode), Dynatrace RUM is enabled by calling dtrum.enable() within the RUM JavaScript. Following this method invocation, Dynatrace tracking cookies are created and RUM is activated.

For details on configuring cookie opt-out mode, see Configure Real User Monitoring according to GDPR.

Cookie storage

When a lot of cookies are in use, some browsers delete a few cookies at random. To avoid losing data from such deleted cookies, Dynatrace stores backups of all cookies. When Use persistent cookies for user tracking is enabled, this backup is stored in localstorage. Otherwise, it's stored in sessionstorage.

Persistent cookies

Dynatrace stores backups of the following cookies:

  • rxVisitor
  • rxvisitid
  • rxvt
  • rxec

The backup of dtCookie is always stored in sessionStorage and the backup of ruxitagentjs_<appid or empty>_Store is always stored in localstorage.

Dynatrace also uses localStorage to cache the last monitor beacon response, which contains the RUM JavaScript configuration.

Secure cookies

Dynatrace allows you to set the Secure cookie attribute for all cookies that are set by Dynatrace. By applying this attribute (flag) on the Set-Cookie header, you ensure that the browser sends these cookies only over secure connections.

Note that Dynatrace cookies don't support HTTPOnly. Cookies must be included with each request so that user actions can be correlated with backend performance. If, in such cases, you use the Secure cookie flag, the flag may lead to loss of visibility into any unencrypted HTTP communication.

Before enabling the Secure cookie flag, make sure the application is completely served over secure connections.

To set the Secure cookie flag

  1. In the Dynatrace menu, select Web.

  2. Select the application for which you want to set the Secure cookie flag.

  3. On the application overview page, select More (…) > Edit.

  4. From the application settings, go to Capturing > Advanced setup.

  5. Scroll to Cookie and header settings, and enable Use the Secure cookie attribute for cookies set by Dynatrace.

    Setting the Secure cookie flag

SameSite cookies

You can find a great explanation of the SameSite cookie attribute on the web.dev site.

To set the SameSite attribute

  1. In the Dynatrace menu, select Web.
  2. Select the application for which you want to set the SameSite attribute.
  3. On the application overview page, select More (…) > Edit.
  4. From the application settings, go to Capturing > Advanced setup.
  5. Scroll to Cookie and header settings and select the desired SameSite cookie attribute.

rxVisitor cookie lifetime value

If your applicable privacy law requires you to reduce the lifetime of permanent cookies, you can use a custom configuration property to reduce the lifetime of our permanent rxVisitor cookie.

  1. In the Dynatrace menu, select Web.
  2. Select the application for which you want to set the cookie lifetime.
  3. On the application overview page, select More (…) > Edit.
  4. From the application settings, go to Capturing > Advanced setup.
  5. Scroll to JavaScript library.
  6. Under Custom configuration properties, add the rvcl=[<time-in-months>, 1-24] key-value pair to set your desired cookie lifetime value. Indicate the time in months (up to 24). For example, rvcl=12 is 12 months. If custom properties are already configured, append this setting after the | character.