Discussion: How does the correlation id work? Do we need to change it?

[pnbecker]

In https://github.com/DSpace/DSpace/pull/3303 we improved the logging of REST requests. As part of this the backend started to log a correlation id, if it was submitted in the request in an http header called X-CORRELATION-ID. It also logs the page that triggered the request against the REST API, if a uuid is submitted in a Header X-REFERRER. While the aforementioned PR implemented this in the backend, https://github.com/DSpace/dspace-angular/pull/1255 implemented it in the frontend. In https://github.com/DSpace/dspace-angular/pull/1465 the place to store the correlation id in the frontend was changed. Furthermore we have an open issue that this is not documented in the REST contract: https://github.com/DSpace/RestContract/issues/245.

During a DSpace developer meeting questions about the correlation id came up:

• when and how does it change?
• do we have to see this as personal information restricted by GDPR once a user has logged in? When a user logs in the correlation id is related in the dspace.log to the eperson that logged in.
• Is the cookie storing the correlation id a strictly necessary cookie, a cookie that falls under the case of legitime interest (so we must provide an opt-out mechanism) or is it something a user must actively agree to? This would decide if we must provide a way to switch it off and how we must include the cookie storing the correlation id in our cookie banner.