Visitors, Visits and Cookies
For the Relevance Module to work across requests, the site needs to be able to track the visitor. For this purpose a cookie is used, with the name _visitor and an expiration time of 2 years. The cookie contains the visitor ID. Note that this is very similar to the way a regular HTTP session ID is stored.
The only information that is stored in the cookie is the visitor ID, a UUID that does not contain any information in itself apart from an identifier to distinguish the visitor from other visitors.
This cookie is likely to fall under the 'Activities unlikely to fall within the exception' section of the cookie guidance document:
Cookies used to recognise a user when
they return to a website so that the
greeting they receive can be tailored
This implies that visitors do need to acknowledge that a cookie will be installed.
A returning visitor is identified solely by the fact that a cookie is available on the first request.
The visitor data is persisted in a shared backend SQL database. Since the Relevance Module uses a dedicated cookie, requests can be served by any site node; there is no need for (sticky) http sessions.
If, for security reasons, you want the _visitor cookie to be HttpOnly, you can achieve this by configuring:
+ targeting:targeting - targeting:cookiesHttpOnly = true
If not configured, by default, the _visitor cookie won't be http only.