Does EFT’s web transfer client (WTC) use cookies, and are any of those cookies used in a way that could violate privacy standards such as GDPR, or that can be used for tracking or identifying users?


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.4.13.15 and later

QUESTION

Does EFT’s web transfer client (WTC) use cookies, and are any of those cookies used in a way that could violate privacy standards such as GDPR, or that can be used for tracking or identifying users?

ANSWER

EFT does not use its cookies for anything related to PII/PD or for the purpose identifying users or tracking their behavior.

Typically it is websites or certain SaaS services that misuse cookies for tracking and/or identifying users, something which EFT has no reason for, given its specific purpose as a Managed File Transfer (MFT) server operated in our customer’s environment.

Cookies:

  • csrftoken (previously token) - used as part of our double cookie submit CSRF prevention
  • downloadsession - used in the direct download workflow
  • mfatoken (previously loginsession) - used for login workflows that use multi-factored authentication (radius, etc.)
  • passresetsession - used when resetting password
  • passchangesession - used when requesting a change password (comes before reset)
  • samlssologgedout - SAML-logout related
  • savedpath - used to save folder listing context in certain workflows for WTC (allows WTC to drop you into proper location after certain actions)
  • switchtoptc - legacy, used to switch to non-js version of web client
  • twspath - used for directory look-up in certain circumstances using workspaces
  • usewtc - used to prevent obsolete clients
  • websessionid - holds session information after logging into the WTC, used for authentication

Purely client side:

  • currentSort - keeps track of sorting of the file listing
  • i18next - keeps track of localization (language) information
  • saveDir - keeps track of the last visited directory*
  • showThumbnails - keeps track of thumbnail option selection
  • showSiteInitPopups - determines if initial toast (popup) notification should be shown that outlines current browser limitations
  • tosAccepted - keeps track if a user has accepted the TOS to prevent it from appearing every time (if using TOS system + unless specifically set to show every time)
  • UserChosenDefaultLoggingLevel - keeps track of user set logging level
  • variant - handles context for portals in various situations

*It may be possible but is highly unlikely that folders are named by users in a way that either leaks confidential data or constitutes PII; however, it could be argued that the benefits of recalling the user’s current directory between login session far outweighs the small risk that a folder’s naming convention violates company policy.