Cookie types
| Cookie | Cookie Name | Provider | Cookie type (per Medallia) | When cookie is stored | Purpose (listed in cookie banner) | Description | Duration | Type | Operational/Support implications if cookie is disabled |
|---|---|---|---|---|---|---|---|---|---|
| Session hash (sh) | sh | Medallia | Technically Necessary | During user authentication after successful login | Authentication - Session validation and security | Stores the session hash for authenticating user sessions and maintaining secure access to the application | Based on user's session duration | HttpOnly SameSite=Lax | User cannot maintain authenticated sessions, will be logged out on each request, application becomes unusable. |
| Session ID (si) | si | Medallia | Technically Necessary | During user authentication after successful login | Authentication - Session identification | Stores the session identifier to track user sessions across requests | Based on user's session duration | HttpOnly SameSite=Lax | User cannot maintain authenticated sessions, will be logged out on each request, application becomes unusable. |
| Language | lng | Medallia | Functional Necessary | When user accesses sign-in page with language parameter or when language preference is set | User Experience - Remember language preference | Stores user's preferred language (en, nl, fr) for the application interface | 1 day | SameSite=Lax | Application will default to English, user will need to select language on each visit. |
| OAuth State | OAuthState | Medallia | Technically Necessary | During OAuth/OpenID Connect authentication flow when redirecting to identity provider | OAuth Security - State parameter validation for CSRF protection | Stores a unique state value (GUID) used to validate OAuth authentication responses and prevent CSRF attacks during the OAuth flow | Based on user's session duration | HttpOnly SameSite=Lax | OAuth/SSO authentication will fail, users cannot authenticate through external identity providers, CSRF protection is compromised. |
| Report Share Session ID (dynamic based on share link) | {shareLink}_rsi | Medallia | Technically Necessary | When accessing shared reports (public or password-protected) and during download with session | Report Sharing - Session identification for shared report access | Stores session ID for accessing shared reports without full authentication | 2 days | HttpOnly SameSite=Lax | Shared reports cannot be accessed, users will need to re-authenticate for each shared report view. |
| Report Share Session Hash (dynamic based on share link) | {shareLink}_rsh | Medallia | Technically Necessary | When accessing shared reports (public or password-protected) and during download with session | Report Sharing - Session validation for shared report access | Stores session hash for validating access to shared reports without full authentication | 2 days | HttpOnly SameSite=Lax | Shared reports cannot be accessed securely, authentication validation will fail. |
| Report Builder Tour Taken | reportBuilderTourTaken | Medallia | Functional Necessary | When user completes or dismisses the report builder tour | User Experience - Remember tour completion status | Stores whether the user has completed the report builder introductory tour to avoid showing it again | 20 years | HttpOnly SameSite=Lax | Report builder tour will be shown repeatedly, degraded user experience. |
| Report Builder Hide Add Element Tip | reportBuilderHideAddElementTip | Medallia | Functional Necessary | When user chooses to hide the "add element" tip/tooltip | User Experience - Remember UI tip preferences | Stores user preference to hide helpful tips about adding elements to reports | 20 years | HttpOnly SameSite=Lax | UI tips will be shown repeatedly, potentially annoying user experience. |
| Session External ID | seid | Medallia | Technically Necessary | During external login when seid parameter is provided | Authentication - Store sign-in URL reference | Stores the sign-in external identifier to track external login sources | 30 days | HttpOnly SameSite=Lax | External login tracking may not work properly, but core login functionality remains. |
| UI App Connection | uiapp | Medallia | Functional/Development | During UI app connection process (non-production environments only) | Development - UI application environment configuration | Stores compressed UI application configuration data for connecting to different environments during development/staging | 1 year | HttpOnly | UI app environment switching may not work, affects development/staging workflows only. |
| Google Analytics User ID | _ga | Analytics | On first page visit | Analytics & performance tracking | Used to distinguish unique users for usage analytics and reporting. | 2 years | Third-party | Website traffic analytics will be inaccurate. | |
| Google Analytics User ID | _ga (cm-internal) | Analytics | On first page visit | Analytics & performance tracking | Tracks user interaction for internal domain analytics. | 2 years | Third-party | Internal analytics reporting will be impacted. | |
| Google Analytics Session State | _ga_{id} | Analytics | On first visit after GA loads | Analytics & performance tracking | Maintains session state and interaction tracking for Google Analytics 4. | 2 years | Third-party | GA4 session tracking will break. | |
| Google Ads Conversion Tracker | _gcl_au | Marketing/Performance | When ad tracking script runs | Advertising & conversion tracking | Used by Google Ads to measure ad campaign effectiveness. | 90 days | Third-party | Ad performance and conversion tracking will fail. | |
| Medallia Experience Identifier | _one_{id} | Medallia | Functional/Analytics | When Medallia services initialize | Digital experience tracking | Identifies a unique visitor for Medallia experience analytics. | 2 years | SameSite=Lax | Medallia digital analytics may not work correctly. |
| Coveo Visitor Identifier | coveo_visitorId | Medallia | Functional/Analytics | On search integration | Search personalization & analytics | Identifies users for Coveo-powered search analytics and relevance. | 1 year | SameSite=Lax | Personalized search and analytics will degrade. |
| Medallia Digital Analytics ID | da_lid | Medallia Digital | Analytics | When Digital tracking script loads | Digital interaction tracking | Tracks user interaction across pages for Medallia Digital analytics. | 1 year | SameSite=Strict | Digital experience analytics will stop. |
| Kampyle Page View Counter | kampyleSessionPageCounter | Medallia (Kampyle) | Functional | When feedback widget loads | Feedback frequency control | Tracks number of pages visited before triggering feedback survey. | 1 year | SameSite=None | Feedback survey rules may trigger incorrectly. |
| Kampyle User Sampling | kampyleUserPercentile | Medallia (Kampyle) | Functional / Analytics | When feedback widget initializes | Feedback audience targeting | Determines whether user qualifies for feedback based on sampling logic. | 1 year | SameSite=None | Survey targeting may break or over-trigger. |
| Kampyle User Session ID | kampyleUserSession | Medallia (Kampyle) | Essential / Functional | On page load with feedback widget | Feedback session management | Maintains the active feedback session and prevents duplicate prompts. | 1 year | SameSite=None | Users may see repeated surveys; session continuity breaks. |
| Kampyle Total Session Counter | kampyleUserSessionsCount | Medallia (Kampyle) | Functional / Analytics | On each new feedback session | Feedback usage tracking | Tracks total number of feedback sessions per user. | 1 year | SameSite=None | Feedback reporting and targeting accuracy will reduce. |
