Vulnerability in EPiServer.Forms
Hello, I am reaching out to see if anyone has insights to share regarding the usage of Visitor Groups without cookie consent.
We plan to use the Visitor Groups to personalize multiple areas of our website, including personalized promotions. In this case, some promotions will be personalized using a Visitor Group based on the criteria "Customer properties", using the "Customer Group". Obviously, the visitor has to be signed in in this case.
We are using a cookie banner to manage the consent, and we were wondering if the Visitor Groups will still work without cookie consent (I suppose it won't...)?
Most groups just evaluate based on the information it has as part of executing request. So yes ones that are based on being a logged in customer are based on the authentication cookie and being able to load the customer context but other don't. There's a list of cookies required here https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/cookie-usage . Number of visits VG is the main one that needs an extra cookie
I exchanged a few emails with Optimizely Support about this topic. In case this can be useful for anyone, I'm sharing here their latest answer:
I have been doing a review of some source code, and I can see that some visitor group criteria does explicitly depend on session state informaiton. I can confirm that the Referer, SearchWord, StartUrl, UriSessionStart, ViewedCategories, and ViewedPages criteria should not work when cookies are disabled. Since the visitor groups are not designed or tested to be able to be used while cookies are disabled or the "Do not track" setting is implemented I would not be able to say that any would be expected to work. Moving forward I would recommend testing on the site to see if any of them do work while the cookies are disabled if there are concerns from your team. Many sites often have a popup message that indicates that the site is designed to use personalized content, so a similar message may be desirable for this client if discounts are going to be served through personalized content.