Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.

Authentication - Server Affinity

Authentication - Server Affinity

You need server affinity for EP Commerce for AMC authentication to work. You must configure your load balencers so that users are always sent to the same server. Otherwise, each time users are switched to a different server they will have to re-login.

Server affinity is required because EP Commerce for AMC uses cookies with identifiers to compare against AEM shadow users. However, some data is stored within AEM servers to support identification of the current user inside of AEM. This data is in the form of a "rep:user" node within the repository. This is the Shadow User and is created via EP Commerce for AMC plugging into AEM's Jackrabbit Authentication. The following are some properties rep:user node stores:


This "shadow user" is like a normal AEM user, except it has a few additional properties:
Property Description
rep:cortexToken The authenticated user's Cortex OAuth2.0 token.
rep:cortexTokenExpiry The Cortex OAuth2.0 token expiration time.
rep:cortexRole The authenticated user's role inside Cortex.
ep-identifier An identifier string generated to identify the user. If the user has an ep-identifier such as "none", then the user is thought to be anonymous.

This is created whenever the user tries to persists a "cortexSession" cookie inside of the shopper's client.

This is also used whenever the user tries to retrieve the "cortexSession" cookie from inside the shopper's client.


The cortexToken, cortexTokenExpiry, cortexRole properties are all used to generate Cortex Java SDK session cookies, which in turn are used to create a connection to Cortex Java SDK. The ep-identifier is primarily used to identify whether a current user is anonymous, and whether the current cookie matches with the user logged into AEM.