Workday Cookie Details
Table of Contents
- External Career Sites powered by Workday
- Workday Application
- Workday Adaptive Planning
Cookies are small data files that are placed or accessed on your device when you visit websites or other digital properties. Some digital properties, such as mobile applications, might use similar but different technologies (such as pixels or SDKs). For ease of reference, we use the term cookie to include these technologies too.
Workday only uses so-called required cookies to deliver its enterprise cloud applications. Required cookies are necessary for the website to function and enable basic features of the website to function. Workday sets those cookies and calls them first-party cookies. Under the ePrivacy Directive, cookies strictly necessary to provide an internet service explicitly requested by the user don’t require obtaining the consent of users.
External Career Sites Powered by Workday
Career sites powered by Workday drop these required cookies:
| Cookie Subgroup | Cookies | Description | Cookie Type | Cookie Duration |
| Session experience | PLAY_LANG, PLAY_SESSION, timezoneOffset, wd-browser-id
| Session experience– user, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | First party | Session |
| Security Management | TS* | Security Management - Helps prevent cyber attacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies sent between the web server and the client aren’t altered. | First party | Session |
| Security Management | CALYPSO_CSRF_TOKEN | Security Management - Contains a CSRF token to prevent cross-site request forgery attacks, that is, to prevent a user from carrying out unintended operations on the career site. | First party | Session |
| Security Management | __cf_bm | Security Management - To identify and mitigate automated traffic to protect the Platform from malicious bots. | First party | After 30 mins of inactivity |
| Load balancing | Naming convention of WorkdayLB_* WorkdayLB_UICLIENT, WorkdayLB_SAS | Load balancing - To forward requests for a single session to the same server for consistency of service. | First party | Session |
Organizations leveraging Workday Career Sites might enable one or more of the discretionary features that use cookies or similar technologies. This table provides further detail on these optional cookies:
| Cookie subgroup | Cookies | Description | Cookie Type | Cookie Duration |
| Cookie preference | enablePrivacyTracking | Boolean tracker to capture user preference for non-esssential cookies from External Career Site Cookie Banner | First party | Session |
| Performance (Analytics) | Google Analytics:
| Analytics - to deliver Google Analytics data to as the nominated Tracking ID for External Site traffic metrics | First party | 400 - 730 days |
| Functional (Apply with LinkedIn) |
| Supports the Apply with LinkedIn feature. For details connect with LinkedIn. See sample Apply with LinkedIn reference materials. | Third party | Session (JSESSIONID, lang) 2 years the rest.
|
Workday Application
Workday’s enterprise cloud application drops these required cookies:
| Cookie Subgroup | Cookies | Description | Cookie Type | Cookie Duration |
| Session experience | PLAY_LANG, PLAY_SESSION, timezoneOffset, wday_vps_cookie enablePrivacyTrackinghelpLastCheckin, JSESSIONID, LastUserActivity, learningLastCheckIn, SessionTimeoutMS, UserSignedIn, sessionLoggingInfo, uid, wd-alt-sessionid, wd-browser-id
| Session experience– user, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | First party | Session |
| Security Management | TS* | Security Management - Helps prevent cyber-attacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies that are sent between the web server and the client aren’t altered. | First party | Session |
| deviceID | Uses deviceID to support the Trusted Devices feature. It expires after 1 year (SeeTrusted Devices FAQ for configuring trusted devices). | First party | 1 year | |
| __cf_bm | Security Management - To identify and mitigate automated traffic to protect the Platform from malicious bots. | First party | After 30 mins of inactivity | |
| Load balancing | Naming convention of WorkdayLB_* WorkdayLB_BP, WorkdayLB_MICROSCOPE, WorkdayLB_PEX, WorkdayLB_SAS, WorkdayLB_TALK, WorkdayLB_TALK_rest, WorkdayLB_TALK_ws, WorkdayLB_UI, WorkdayLB_UIAUTHGWY, WorkdayLB_USB, WorkdayLB_VPS2, WorkdayLB_WDRIVE_client, WorkdayLB_WDRIVE_server_rest, WorkdayLB_WDRIVE_server_ws
| Load balancing - to forward requests for a single session to the same server for consistency of service. | First party | Session |
Workday Adaptive Planning
Workday’s enterprise cloud application Adaptive Planning drops these required cookies:
| Cookie Subgroup | Cookies | Description | Cookie Type | Cookie Duration |
| Session Management | JSESSIONID | Session ID for a user's session. To maintain authenticated session across subsequent requests | First party | Session |
*.adaptive.Account.UserData *.adaptive.Account.Flags *.adaptive.Account.DisplayName *.adaptive.Account.Authentication *.adaptive.Account.AlternateEmail | Integration web requests from inside iframe go straight to Integration webserver and so need cookies for auth and other app functionality. | First party | Session | |
| Security Management | XSRF-TOKEN Csrf-Token | To prevent cross-site request forgery attacks on the application. | First party | Session |
| User Preference | AILastLogin AIUserName\ | AILastLogin cookie is set to know if the logged in user is an existing or new user.
| First party | 90 days
30 days
|