This content is archived. See latest version here

Table of Contents


This document describes how to implement the cookie handling in EPiServer CMS. An EU directive states that site owners are responsible for informing visitors about which cookies are used and what they are used for, but the website visitors must also approve the cookies to be used. For more information about the EU directive, personalization feature and download of statement samples, refer to the article Protecting Your Visitors’ Privacy According to EU Directive on Cookies.

Cookies Used in EPiServer CMS

EPiServer CMS uses the following cookies:

Cookie Name Purpose
ASP.NET_SessionId Session cookie sent to the web browser. Used when you open the browser and then go to a website that implements ASP.NET session state. This cookie is deleted when you close your browser.
EPi:NumberOfVisits Used if you are using the Number of Visits personalization criterion. This cookie will not be set if you remove it from all of your visitor groups.
.EPiServerLogin, EPiDPCKEY, .ASPXRoles Only used if you log in to a website. This is not a major problem as long as you clearly state on the login page that cookies will be used if you log in.
_utma, _utmb, _utmc, _utmz Google Analytics cookies that are commonly used on EPiServer websites. These third-party cookies are used to collect information about how visitors use the website.

Handling Cookies

Note that you as a website owner need a statement that informs and explicitly asks each first-time visitor if a cookie may be placed on their computer, mobile phone or other terminal equipment. It is not acceptable to solely rely on the visitors’ web browser cookie settings.

Last updated: Mar 25, 2013