Discussion: How does the correlation id work? Do we need to change it?

[pnbecker]

In DSpace/DSpace#3303 we improved the logging of REST requests. As part of this the backend started to log a correlation id, if it was submitted in the request in an http header called X-CORRELATION-ID. It also logs the page that triggered the request against the REST API, if a uuid is submitted in a Header X-REFERRER. While the aforementioned PR implemented this in the backend, #1255 implemented it in the frontend. In #1465 the place to store the correlation id in the frontend was changed. Furthermore we have an open issue that this is not documented in the REST contract: DSpace/RestContract#245.

During a DSpace developer meeting questions about the correlation id came up:

• when and how does it change?
• do we have to see this as personal information restricted by GDPR once a user has logged in? When a user logs in the correlation id is related in the dspace.log to the eperson that logged in.
• Is the cookie storing the correlation id a strictly necessary cookie, a cookie that falls under the case of legitime interest (so we must provide an opt-out mechanism) or is it something a user must actively agree to? This would decide if we must provide a way to switch it off and how we must include the cookie storing the correlation id in our cookie banner.

[pnbecker]

I went to demo.dspace.org and looked in to the network and storage segments of the web developer tools:

• a cookie storing the correlation id is set via JavaScript (there is no Set-Cookie-Header send by the backend and the frontend includes code to set the cookie). This cookie is set as a session cookie.
• I was able to login as a user, log out, login as another user, reload the browser, open a request by typing in an address into the the address bar and the correlation id never changed.
• The only way I found to get a new correlation id was to either restart the whole browser, or to manually delete the cookie from my browser.

In the dspace-angular source code I found the CorrelationIdService which has a method initCorrelationId. It tries to load a correlationID and generates one if it is not able to load a previously existing one. The browserInitService and the serverInitService are calling this method. I found now user usage of it.

From my understanding: we are creating the correlation id via JavaScript if we are not able to load it from the store or via Cookies. The correlation ID is stored for as long as the browser session exists. It is not being regenerated unless we loose the stored value, which happens when the browser expires the session or someone deletes the correlation id manually.

[pnbecker]

The correlation id might still be a case of strictly necessary cookie. We use it to investigate and track down bugs. I just don't know how GDPR defines strictly necessary cookies and tracking.

[pnbecker]

@abollini Can you please take a look on this? Do you have further information about the correlation id and the gdpr?