Channel: GlobalSCAPE Knowledge Base
Viewing all articles
Browse latest Browse all 785

Does EFT’s web transfer client (WTC) use cookies, and are any of those cookies used in a way that could violate privacy standards such as GDPR, or that can be used for tracking or identifying users?



  • EFT v7.4.13.15 and later


Does EFT’s web transfer client (WTC) use cookies, and are any of those cookies used in a way that could violate privacy standards such as GDPR, or that can be used for tracking or identifying users?


EFT does not use its cookies for anything related to PII/PD or for the purpose identifying users or tracking their behavior.

Typically it is websites or certain SaaS services that misuse cookies for tracking and/or identifying users, something which EFT has no reason for, given its specific purpose as a Managed File Transfer (MFT) server operated in our customer’s environment.


  • csrftoken (previously token) - used as part of our double cookie submit CSRF prevention
  • downloadsession - used in the direct download workflow
  • mfatoken (previously loginsession) - used for login workflows that use multi-factored authentication (radius, etc.)
  • passresetsession - used when resetting password
  • passchangesession - used when requesting a change password (comes before reset)
  • samlssologgedout - SAML-logout related
  • savedpath - used to save folder listing context in certain workflows for WTC (allows WTC to drop you into proper location after certain actions)
  • switchtoptc - legacy, used to switch to non-js version of web client
  • twspath - used for directory look-up in certain circumstances using workspaces
  • usewtc - used to prevent obsolete clients
  • websessionid - holds session information after logging into the WTC, used for authentication

Purely client side:

  • currentSort - keeps track of sorting of the file listing
  • i18next - keeps track of localization (language) information
  • saveDir - keeps track of the last visited directory*
  • showThumbnails - keeps track of thumbnail option selection
  • showSiteInitPopups - determines if initial toast (popup) notification should be shown that outlines current browser limitations
  • tosAccepted - keeps track if a user has accepted the TOS to prevent it from appearing every time (if using TOS system + unless specifically set to show every time)
  • UserChosenDefaultLoggingLevel - keeps track of user set logging level
  • variant - handles context for portals in various situations

*It may be possible but is highly unlikely that folders are named by users in a way that either leaks confidential data or constitutes PII; however, it could be argued that the benefits of recalling the user’s current directory between login session far outweighs the small risk that a folder’s naming convention violates company policy.

Viewing all articles
Browse latest Browse all 785

Trending Articles