Raven and cookies
This is a slightly edited copy of a UCS News announcement, originally posted on 29 June 2012
Additionally, if you use the Apache module provided by University Information Services for interacting with Raven over the Ucam-WebAuth protocol (mod_ucam_webauth), or the Apache Shibboleth module then you may find the information below helpful. If your server interacts with Raven in some other way, or you use other authentication software, then you may need to identify similar information yourself.
The Information Commissioner's web site at:
Recent guidance from the European advisory Article 29 Working Part guidance on Cookie Consent Exemptions at:
mod_ucam_webauth uses a single cookie to track the user's authentication state. This is a 'session' cookie which browsers should delete when the user quits. By default this is called 'Ucam-WebAuth-Session' (over http) or 'Ucam-WebAuth-Session-S' (over https) with path '/' and a scope of the host its set from, but the name, path and scope can all be configured in the Apache configuration file as needed (see the AACookieName, AACookiePath, and AACookieDomain configuration directives). This cookie contains:
- the value 'Not-authenticated' during the early stages of the authentication process,
- A version number - currently always 1 (included for future expansion)
- A status code from the most recent authentication - '200' for 'success' following a successful authentication.
- An optional message explaining any error (empty following a successfully authentication)
- When the user most recently authenticated on this server
- When the user most recently interacted with this server (only maintained if an inactivity timeout is being used - see the AAInactiveTimeout directive)
- The length (in seconds) of the user's authentication session
- A unique ID issued by the Raven server for this authentication event
- The user's CrsID
- A record of how the user was authenticated by the Raven server - currently always 'pwd' for 'provided password' - and whether on this occasion they typed their password or relied on a previously-established identity
- A signature to prevent anyone tampering with the cookie value
The Shibboleth Apache and IIS modules appear to use two session cookies, though this behaviour is explicitly not documented by the Shibboleth developers. Both of these cookies are set with path '/' and a scope of the host that sets them. They are 'session' cookies which browsers should delete when the user quits. These are:
- _shibstate_nnnnnnnn which is used to maintain limited information during the authentication process and which is activly deleted once this is complete, where 'nnnnnnnn' is a string of hexadecimal digits.
- _shibsession_nnnnnnnnnnnnnnnnnnnnnn which is used to record the user's authentication state, where 'nnnnnnnnnnnnnnnnnnnnnn' is a string of up to 97 hexadecimal digits.
At least some of the behaviour of these cookies can be influenced by the Shibboleth module's configuration.
Cookies used by the central Raven server
UCS believes that an exemption from obtaining explicit consent is applicable to the Raven server service relating to a users' use of Raven within a single browser session. Note that this exemption DOES NOT apply to persistent cookies that may be set by any user in their Raven account administration page at:
Note that the default behaviour for Raven is to not use a persistent cookie. Persistent cookies are only set at the users' request, in doing so the user gives their consent for this and UCS has updated the Account Management interface to make this clear.