skip to navigation skip to content

Cookie policy for the Raven web authentication server

Raven is a service used by some web sites to identify people from the University so that access decisions can be made based on user identity and related information.

The Raven service uses two discrete sets of servers which perform different, related authentication tasks. raven.cam.ac.uk serves the locally developed Ucam-WebAuth components whilst shib.raven.cam.ac.uk is used to serve components that follow the Shibboleth federation protocols. Websites may choose to use one or both of these different technical solutions depending on their specific authentication needs. Whilst the two underlying servers support subtly different technologies, both are combined within the Raven service to provide a consistent authentication experience to the end user.

Both Ucam-WebAuth and Shibboleth use a number of HTTP cookies. Precisely which cookies are set depends on how the two underlying systems are used. These cookies are set so that, if your browser is operating correctly, they will be returned only to the server that set them and only over secure HTTP connections. The cookies that may be set are:

Ucam-WebAuth Server (raven.cam.ac.uk)

The Ucam-WebAuth server may set three cookies. The first two listed here are essential for the operation of the Raven authentication service. The third is set only if you choose to supply a default CrsID to offer when logging-in.

  • Ucam-WLS-Session: This cookie is used to implement Raven's single sign-on facility which enables you to move between many Raven protected sites without having to re-enter your login credentials for each site. It retains:
    • Your CRSid.
    • A record of your chosen Raven login options.
    • Your method of authentication.
    • The date and time of your most recent authentication.
    • The date and time of your session's scheduled expiry.
    • A cryptographic signature protecting the cookie value.
    This cookie is set when you first authenticate by Raven in your browsing session and is deleted when either your browsing session ends or you log out of Raven. This feature can be turned off by visiting the Raven settings page. If disabled this cookie is not set.
  • Ucam-WebAuth-Session-S: This is used to separately control access to a small number of pages on the Raven server itself. It records:
    • Your CRSid.
    • The status of you most recent request to authenticate.
    • Your method of authentication.
    • The date and time of your most recent authentication.
    • The length in seconds of your current authentication session.
    • A unique value issued by the Raven server to identify the current authentication event.
    • A cryptographic signature protecting the cookie value.
    It is set when you access the protected pages and is deleted when your browsing session ends.
  • Ucam-WLS-ID: Sets a default CrsID to offer when logging-in. Set only on request, from the Raven account management page. This is a persistent cookie stored in your browser that expires after 1 year.

Shibboleth Server (shib.raven.cam.ac.uk)

The Shibboleth server sets four cookies when it is invoked by a client web site. These are all essential for the provision of the service.

  • Ucam-WebAuth-Session-S: This is used to manage your authentication to the Shibboleth server for onward transmission to client web sites using the Shibboleth federation protocols. It is set when you first authenticate to a site using Shibboleth in any browser session and will be deleted when your browser session ends. It contains:
    • Your CRSid.
    • The status of you most recent request to authenticate.
    • Your method of authentication.
    • The date and time of your most recent authentication.
    • The length in seconds of your current authentication session.
    • A unique value issued by the Shibboleth server to identify the current authentication event.
    • A cryptographic signature protecting the cookie value.
  • JSESSIONID: This holds an alphanumeric value that uniquely identifies your current browsing session, this is used to further manage your authentication to the Shibboleth server for onward transmission to client web sites. It is set when you first authenticate to a site using Shibboleth in any browser session and will be deleted when your browser session ends.
  • _idp_authn_lc_key: This cookie contains only information necessary to identify the current authentication process (which usually spans multiple requests/responses) and is deleted after the authentication process completes.
  • _idp_session: This cookie contains information necessary for identifying the user's 'login' to the Shibboleth server. This cookie is created as "session" cookie and will be removed when the browser chooses to remove such cookies (often when the browser is closed).

If you would like to find out more about Cookies and Privacy see http://www.allaboutcookies.org/.