Cookies in General
Belows table describes all cookies that may be set by App Suite Middleware to maintain user session state across HTTP requests. The information in this article can be used to answer according GDPR inquiries.
Important: This article does not list all possible set cookies for OX App Suite. There might be more that are set by other components, like App Suite UI and custom integrations (especially authentication plugins and advertisement integrations).
|Name||Example Value||Domain||Path||Lifetime||Secure?||HTTP only?||Description||Contains PII?|
|JSESSIONID||2648017316273288615.OX1||/||user session||yes||yes||Identifies the target node in an application cluster and the according HTTP session therein.||no|
|open-xchange-secret- ||1b9910afdf4642039adf41750d3e6079||/||user session||yes||yes||Identifies a user session within an application cluster. Is not alone sufficient to perform requests, it always needs a session ID as part of the request parameters.||no|
|open-xchange-public-session- ||b5f9f78dfc5f45d5b791bc37cd972fb0||/||user session||yes||yes||Identifies a user session within an application cluster. Grants access to a limited set of resources without a session ID as part of the request parameters.||no|
|open-xchange-session- ||0feaa4e6f4ac43c08d434f1328d5f9f9||/||user session||yes||yes||Contains a session ID that is used to re-establish an existing session as part of the auto-login mechanism.||no|
|open-xchange-shard||default||/||user session||yes||yes||Identifies an application cluster in a potentially multi-shard environment.||no|
|open-xchange-saml- ||3b5ca0a4e1ed46d28cfaf415b77075c8||/||user session||yes||yes||Contains a session lookup key that is used to re-establish an existing session as part of the auto-login mechanism for SAML SSO.||no|
|open-xchange-oidc- ||f820fa31fe824b31bb34955a03176425||/||user session||yes||yes||Contains a session lookup key that is used to re-establish an existing session as part of the auto-login mechanism for OpenID Connect SSO.||no|
<hash>: A hash value based on certain HTTP request parameters that are supposed to be unique per user session.
<webmail>: Domain under which the App Suite web interface is directly available, e.g.
To route HTTP requests to their correct App Suite shard, an additional cookie is needed to identify the corresponding server. As most requests are authenticated and coupled to a session, the sharding cookie is aligned with usual session cookies. The cookies name is
This cookie is relevant only for the App Suite HTTP API and therefore not applied for other HTTP-based protocols like CardDav.
The cookie is set after login with the same parameters as the other session cookies, except for the value. The value is loaded from the server configuration and
default if not set otherwise. On every session validation the cookies existence and value is also verified. As long as a valid session exists, this cookie will also exist and be recreated if absent or the value will be adjusted if it differs from the current configuration. The cookie is deleted alongside all other session related cookies or on expiry.
The value of the cookie can be configured by a lean and reloadable property,
com.openxchange.server.shardName whose default value is
'default'. This property is part of the server configuration and should reside in the