Workday Cookie Details
Table of Contents
- External Career Sites powered by Workday
- Workday Application
- Workday Adaptive Planning
- Workday Extend
Cookies are small data files that are placed or accessed on your device when you visit websites or other digital properties. Some digital properties, such as mobile applications, might use similar but different technologies (such as pixels or SDKs). For ease of reference, we use the term cookie to include these technologies too.
Workday only uses so-called required cookies to deliver its enterprise cloud applications. Required cookies are necessary for the website to function and enable basic features of the website to function. Workday sets those cookies and calls them first-party cookies. Under the ePrivacy Directive, cookies strictly necessary to provide an internet service explicitly requested by the user does not require obtaining the consent of users.
External Career Sites Powered by Workday
Career sites powered by Workday drop these required cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session experience | PLAY_LANG, PLAY_SESSION, timezoneOffset, wd-browser-id wday_vps_cookie CXS_SESSION | Session experience– user, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | First party | Session |
Security Management | TS* | Security Management - Helps prevent cyber attacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies sent between the web server and the client aren’t altered. | First party | Session |
Security Management | CALYPSO_CSRF_TOKEN | Security Management - Contains a CSRF token to prevent cross-site request forgery attacks, that is, to prevent a user from carrying out unintended operations on the career site | First party | Session |
Security Management | __cf_bm | Security Management - To identify and mitigate automated traffic to protect the Platform from malicious bots. | First party | After 30 mins of inactivity |
Load balancing | Naming convention of WorkdayLB_* WorkdayLB_UICLIENT, WorkdayLB_SAS | Load balancing - to forward requests for a single session to the same server for consistency of service. | First party | Session |
Organizations leveraging Workday Career Sites may enable one or more of the discretionary features that use cookies or similar technologies. The following table provides further detail on these optional cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Cookie preference | enablePrivacyTracking | Boolean tracker to capture user preference for non-esssential cookies from External Career Site Cookie Banner | First party | Session |
Performance (Analytics) | Google Analytics:
| Analytics - to deliver Google Analytics data to as the nominated Tracking ID for External Site traffic metrics | First party | 400 - 730 days |
Functional (Apply with LinkedIn) |
| Supports the Apply with LinkedIn feature. For details connect with LinkedIn. See sample Apply with LinkedIn reference materials. | Third party | Session (JSESSIONID, lang) 2 years the rest. |
Workday Application
Workday’s enterprise cloud application drops these required cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session experience | PLAY_LANG, PLAY_SESSION, timezoneOffset, helpLastCheckin, JSESSIONID, LastUserActivity, learningLastCheckIn, SessionTimeoutMS, UserSignedIn, sessionLoggingInfo, uid, wd-alt-sessionid, wd-browser-id | Session experience– user, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | First party | Session |
Security Management
| TS* | Security Management - Helps prevent cyber-attacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies that are sent between the web server and the client aren’t altered. | First party | Session |
deviceID | Uses deviceID to support the Trusted Devices feature. It expires after 1 year (SeeTrusted Devices FAQ for configuring trusted devices). | First party | 1 year | |
__cf_bm | Security Management - To identify and mitigate automated traffic to protect the Platform from malicious bots. | First party | After 30 mins of inactivity | |
_cfuvid | Security Management - The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF to distinguish individual users who share the same IP address. | First party | Session | |
Load balancing | Naming convention of WorkdayLB_* WorkdayLB_BP, WorkdayLB_MICROSCOPE, WorkdayLB_PEX, WorkdayLB_SAS, WorkdayLB_TALK, WorkdayLB_TALK_rest, WorkdayLB_TALK_ws, WorkdayLB_UI, WorkdayLB_UIAUTHGWY, WorkdayLB_USB, WorkdayLB_VPS2, WorkdayLB_WDRIVE_client, WorkdayLB_WDRIVE_server_rest, WorkdayLB_WDRIVE_server_ws | Load balancing - to forward requests for a single session to the same server for consistency of service. | First party | Session |
__cflb | Load balancing - The __cflb cookie allows Cloudflare to return an end user to the same customer origin for a specific period of time configured by the customer. This allows the end user to have a seamless experience | First party | 11 hours |
Workday Adaptive Planning
Workday’s enterprise cloud application Adaptive Planning drops these required cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session Management | JSESSIONID | Session ID for a user's session. To maintain authenticated session across subsequent requests | First party | Session |
*.adaptive.Account.UserData *.adaptive.Account.Flags *.adaptive.Account.DisplayName *.adaptive.Account.Authentication *.adaptive.Account.AlternateEmail | Integration web requests from inside iframe go straight to Integration webserver and so need cookies for auth and other app functionality. | First party | Session | |
Security Management | XSRF-TOKEN Csrf-Token | To prevent cross-site request forgery attacks on the application. | First party | Session |
User Preference | AILastLogin AIUserName | AILastLogin cookie is set to know if the logged in user is an existing or new user. AIUserName cookie saves username in the browser for future login convenience | First party | 90 days 30 days |
Workday Extend
The cookies in use on the Workday Extend developer platform are documented below; they are determined to be strictly necessary to maintain the session and support the use of the developer platform:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session Management | wday-access-token | The wday-access-token is an opaque JWT that resembles a user’s session in Extend, and is used to authorize all requests to services related to application development, as well as Extend account management. | First party | Session |
Session Management | wcp-org-uuid | The org uuid cookie is the customer’s current organization context, which is used by the web application client to appropriately render the application and call the correct apis. This cookie drives the entire account context that a user is working in, and is needed by both the client, as well as iframed services such as our analytics charts. | First party | Session |
Session Management | WCP_SESSION | Session cookie for maintaining the platform session; it contains session ID, expiration, and HMAC value. | First party | 70 minutes |
Session Management | PLAY_SESSION | Auto-generated when interacting with a Play Application. Only used in Octopaas Admin Console to store sessionJti. OtherwiseWCP_SESSION cookie is used. | First party | Session |
Session Management | AWSALB | Used by AWS Application Load Balancers (ALB) to manage sticky sessions, ensuring that subsequent requests from a client are routed to the same target (e.g., EC2 instance) within a target group. | First party | 1 week |
Session Management | AWSALBCORS | It was created by Amazon as part of their web services unit for applications that use load balancers. It manages the number of users visiting a website at any one time to prevent system overload from too much simultaneous activity | First party | 1 week |
Security Management | _csrf | Contains a CSRF token to prevent cross-site request forgery attacks, that is, to prevent a user from carrying out unintended operations on the Extend Developer site | First party | Session |
Session Management | AB_SESSION | Session ID for DevTools server/App Builder to store session related data. | First party | Session |
Security Management | AB-XSRF-TOKEN | To prevent cross-site request forgery attacks on the application. | First party | Session |
Security Management | __cf_bm | To identify and mitigate automated traffic to protect the Platform from malicious bots. | First party | Session |
Security Management | _cfuvid | The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF to distinguish individual users who share the same IP address. | First party | Session |
Security Management | tenant-access-token-<uuid> | Tenant access token used for interacting with customer’s tenant from the developer site; typically an IMPL, SBX tenant. | First party | Session |
Security Management | quickview-tenant-access-token-<uuid> | Tenant access token used for previewing Extend application pages from the developer site; typically an IMPL, SBX tenant. | First party | Session |
Security Management | XSRF-TOKEN | Orchestration Builder cross-site request forgery protection. | First party | Session |
Session Management | FB_SESSION | Session ID for Orchestration builder for OB server to store session related data. | First party | Session |
Session Management | build-select | Used in non-prod environments ONLY as a toggle for enabling/disabling features. | First party | Session |
Session Management | page-inspector-enabled | Toggles whether a user has enabled the page inspector feature in app builder. | First party | Session |
Session Management | quickview-copilot-generate-id | ID associated with a Copilot response. Used to tell App Preview that a special set of content should be rendered (copilot generated + app in the session). | First party | Session |
Session Management | SB_SESSION | Session ID for Studio builder for SB server to store session-related data | First party | Session |
Security Management | XSRF-TOKEN | Studio Builder cross-site request forgery protection | First party | Session |