Workday Cookie Details
Table of Contents
- External Career Sites powered by Workday
- Workday Application
- Workday Adaptive Planning
- Workday Extend
- External Student Sites powered by Workday
- Workday HiredScore
- Workday VNDLY
Cookies are small data files that are placed or accessed on your device when you visit websites or other digital properties. Some digital properties, such as mobile applications, might use similar but different technologies (such as pixels or SDKs). For ease of reference, we use the term cookie to include these technologies too.
Workday only uses so-called required cookies to deliver its enterprise cloud applications. Required cookies are necessary for the website to function and enable basic features of the website to function. Workday sets those cookies and calls them first-party cookies. Under the ePrivacy Directive, cookies are strictly necessary to provide an internet service explicitly requested by the user doesn't require obtaining the consent of users.
External Career Sites Powered by Workday
Career sites powered by Workday drop these required cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session experience | PLAY_LANG, PLAY_SESSION, timezoneOffset, wd-browser-id wday_vps_cookie CXS_SESSION | User, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | 1st party | Session |
Security management | TS* | Helps prevent cyber attacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies sent between the web server and the client aren’t altered. | 1st party | Session |
Security management | CALYPSO_CSRF_TOKEN | Contains a CSRF token to prevent cross-site request forgery attacks, that is, to prevent a user from carrying out unintended operations on the career site | 1st party | Session |
Security management | __cf_bm | Identifies and mitigates automated traffic to protect the Platform from malicious bots. | 1st party | After 30 mins of inactivity |
Load balancing | Naming convention of WorkdayLB_* WorkdayLB_UICLIENT, WorkdayLB_SAS | Forwards requests for a single session to the same server for consistency of service. | 1st party | Session |
Organizations applying Workday Career Sites might enable one or more of the discretionary features that use cookies or similar technologies. The below table provides further detail on these optional cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Cookie preference | enablePrivacyTracking | Boolean tracker to capture user preference for nonesssential cookies from External Career Site Cookie Banner | 1st party | Session |
Performance (analytics) | Google Analytics:
| Delivers Google Analytics data as the nominated Tracking ID for External Site traffic metrics | 1st party | 400 - 730 days |
Functional (Apply with LinkedIn) |
| Supports the Apply with LinkedIn feature. For details, contact LinkedIn. See sample Apply with LinkedIn reference materials. | 3rd party | Session (JSESSIONID, lang) 2 years the rest. |
Workday Application
Workday’s enterprise cloud application drops these required cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session experience |
| User, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | 1st party | Session |
Security management
| TS* | Helps prevent cyberattacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies that are sent between the web server and the client aren’t altered. | 1st party | Session |
deviceID | Uses deviceID to support the Trusted Devices feature. It expires after 1 year (See Trusted Devices FAQ for configuring trusted devices). | 1st party | 1 year | |
__cf_bm | Identifies and mitigates automated traffic to protect the Platform from malicious bots. | 1st party | After 30 mins of inactivity | |
_cfuvid | The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule. Is only used to enable the Cloudflare WAF to distinguish individual users who share the same IP address. | 1st party | Session | |
Load balancing |
| Forwards requests for a single session to the same server for consistency of service. | 1st party | Session |
__cflb | Enables Cloudflare to return an end user to the same customer origin for a specific period of time configured by the customer. This process enables the end user to have a smooth experience. | 1st party | 11 hours |
Workday Adaptive Planning
Workday’s enterprise cloud application Adaptive Planning drops these required cookies:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session management | JSESSIONID | Session ID for a user's session. Maintains authenticated session across subsequent requests | 1st party | Session |
| For auth and other app functionality, since integration web requests from inside the iframe go straight to the Integration webserver. | 1st party | Session | |
Security management | XSRF-TOKEN Csrf-Token | Prevents cross-site request forgery attacks on the application. | 1st party | Session |
User preference | AILastLogin AIUserName | AILastLogin cookie is set to know if the logged in user is an existing or new user. AIUserName cookie saves the username in the browser for future login convenience | 1st party | 90 days 30 days |
Workday Extend
The cookies in use on the Workday Extend developer platform are documented below; they're determined to be strictly necessary to maintain the session and support the use of the developer platform:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session management | wday-access-token | The wday-access-token is an opaque JWT that resembles a user’s session in Extend, and is used to authorize all requests to services related to application development, and Extend account management. | 1st party | Session |
Session management | wcp-org-uuid | The org uuid cookie is the customer’s current organization context. It's used by the web application client to appropriately render the application and call the correct apis. This cookie drives the entire account context that a user is working in, and is needed by both the client, and iframed services such as our analytics charts. | 1st party | Session |
Session management | WCP_SESSION | Session cookie for maintaining the platform session. It contains session ID, expiration, and HMAC value. | 1st party | 70 minutes |
Session management | PLAY_SESSION | Autogenerated when interacting with a Play Application. Only used in Octopaas Admin Console to store sessionJti. OtherwiseWCP_SESSION cookie is used. | 1st party | Session |
Session management | AWSALB | Used by AWS Application Load Balancers (ALB) to manage sticky sessions, ensuring that subsequent requests from a client are routed to the same target (Example: EC2 instance) within a target group. | 1st party | 1 week |
Session management | AWSALBCORS | Created by Amazon as part of their web services unit for applications that use load balancers. It manages the number of users visiting a website at any one-time to prevent system overload from too much simultaneous activity | 1st party | 1 week |
Security management | _csrf | Contains a CSRF token to prevent cross-site request forgery attacks, that is, to prevent a user from carrying out unintended operations on the Extend Developer site | 1st party | Session |
Session management | AB_SESSION | Session ID for DevTools server and App Builder to store session-related data. | 1st party | Session |
Security management | AB-XSRF-TOKEN | Prevents cross-site request forgery attacks on the application. | 1st party | Session |
Security management | __cf_bm | Identifies and mitigates automated traffic to protect the Platform from malicious bots. | 1st party | Session |
Security management | _cfuvid | The _cfuvid cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to enable the Cloudflare WAF to distinguish individual users who share the same IP address. | 1st party | Session |
Security management | tenant-access-token-<uuid> | Tenant access token used for interacting with the customer’s tenant from the developer site, typically an IMPL, SBX tenant. | 1st party | Session |
Security management | quickview-tenant-access-token-<uuid> | Tenant access token used for previewing Extend application pages from the developer site, typically an IMPL, SBX tenant. | 1st party | Session |
Security management | XSRF-TOKEN | Orchestration Builder cross-site request forgery protection. | 1st party | Session |
Session management | FB_SESSION | Session ID for Orchestration builder for OB server to store session related data. | 1st party | Session |
Session management | build-select | Used in nonprod environments only as a toggle for enabling and disabling features. | 1st party | Session |
Session management | page-inspector-enabled | Toggles whether a user has enabled the page inspector feature in the app builder. | 1st party | Session |
Session management | quickview-copilot-generate-id | ID associated with a Co-pilot response. Used to tell App Preview that a special set of content should be rendered (co-pilot generated + app in the session). | 1st party | Session |
Session management | SB_SESSION | Session ID for Studio builder for SB server to store session-related data | 1st party | Session |
Security management | XSRF-TOKEN | Studio Builder cross-site request forgery protection | 1st party | Session |
External Student Sites Powered by Workday
External Student sites powered by Workday drop these required cookies:
Cookie subgroup | Cookies | Description | Cookie Type | Cookie Duration |
|---|---|---|---|---|
Session experience |
| User, device, and session ID cookies along with timestamp cookies for timing out sessions after inactivity. These cookies expire at the end of the session. | 1st party | Session |
Security management | TS* | Helps prevent cyber attacks on the user’s interactions with the enterprise cloud applications. Verifies that the domain and subdomain cookies sent between the web server and the client aren’t altered. | 1st party | Session |
Security management | CALYPSO_CSRF_TOKEN | Contains a CSRF token to prevent cross-site request forgery attacks, that is, to prevent a user from carrying out unintended operations on the career site. | 1st party | Session |
Security management | __cf_bm | Identifies and mitigates automated traffic to protect the platform from malicious bots. | 1st party | After 30 minutes of inactivity |
Load balancing | Naming convention of WorkdayLB_* WorkdayLB_UICLIENT, WorkdayLB_SAS | Forwards requests for a single session to the same server for consistency of service. | 1st party | Session |
Organizations using Workday external Student sites can enable Google Analytics, which uses cookies or similar technologies. This table provides further detail on the cookies that can be used in this case:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Cookie preference | enablePrivacyTracking | Boolean tracker to capture user preference for nonesssential cookies from External Student Site Cookie Banner | 1st party | Session |
Performance (analytics) | Google Analytics:
| Delivers Google Analytics data as the nominated Tracking ID for External Student Site traffic metrics. | 1st party | 400 - 730 days |
Workday HiredScore
The cookies in use on the Workday HiredScore platform are documented below. They're necessary to maintain the session and support the use of the HiredScore platform:
Cookie subgroup | Cookies | Description | Cookie type | Cookie duration |
|---|---|---|---|---|
Session management | AWSALB | Used by AWS Application Load Balancers (ALB) to manage sticky sessions, ensuring that subsequent requests from a client are routed to the same target (Example: EC2 instance) within a target group. | 1st party | 1 week |
Session management | AWSALBCORS | Created by Amazon as part of their web services unit for applications that use load balancers. It manages the number of users visiting a website at any one-time to prevent system overload from too much simultaneous activity | 1st party | 1 week |
Session management | k8s_opt_in | This cookie was used as part of the gradual rollout moving from EC2 machines to K8S clusters of our application. | 1st party | 24 hours |
Session management | last_activity | Timestamp value to handle session timeouts based on inactivity. | 1st party | Session |
Session management | session | Session activity details to preserve continuity. | 1st party | Session |
Session management | session_id | Session ID for a user's session. To maintain an authenticated session across subsequent requests | 1st party | Session |
Workday VNDLY
The cookies in use on the Workday VNDLY platform are documented below; they're determined to be strictly necessary to maintain the session and support the use of the VNDLY platform:
Cookie subgroup | Cookie name | Description | Type (party) | Duration |
|---|---|---|---|---|
Security Management | csrftoken | An encrypted and signed token to prevent cross-site request forgery attacks on the application. | 1st party | Session |
Session Management | sessionid | Unique session ID including authentication information for the user. | 1st party | Session |
Session experience |
- Local Storage | UI setting and navigation options to provide a consistent experience for the user. | N/A as localStorage item | Until the browser cache is cleared. |
Session experience | l10n* - Local Storage | Provides support for multiple languages and translations. | N/A as localStorage item | Until the browser cache is cleared. |