Session Replay

eConsent captures full DOM-level session recordings using rrweb, an open-source library that records and replays browser sessions. These recordings provide a complete visual record of what the consumer saw and did on your page, serving as powerful evidence for TCPA compliance.

What gets recorded

Session replay captures:

• Full page snapshots: Complete DOM state at the time of recording
• DOM mutations: Every element added, removed, or modified
• User interactions: Mouse movements, clicks, scrolls, input focus
• Form interactions: Input changes, checkbox toggles, dropdown selections
• Viewport changes: Window resizing, orientation changes
• Consent visibility: Whether consent language was displayed and visible

Session Replay Demo

Watch a real session replay showing what gets captured: DOM mutations, user interactions, consent visibility, and form submissions.

~2 min

Note

Session replay captures the structure and behavior of the page, not pixel-level screenshots. Sensitive data in form fields is handled according to your whitelist configuration. Only authorized fields are captured in plain text; everything else is masked or excluded.

How recording works

1. Session initialization. When the tracker script loads, it creates a new session and begins recording DOM events.
2. Event streaming. Recording events are batched and sent to the eConsent API in compressed chunks.
3. Storage. Events are stored on AWS EFS (Elastic File System) with atomic writes to prevent partial or corrupted recordings.
4. Integrity hashing. A SHA-256 hash of the complete recording is computed and stored in the certificate’s recording_hashes field.

Storage details

Parameter	Value
Storage backend	AWS EFS (Elastic File System)
File path	{EFS_BASE}/{companyId}/{propertyId}/{sessionId}.json
Write mode	Atomic writes
Max payload per chunk	50 MB
Max event size	10 MB
Max events returned on replay	10,000

Snapshot promotion

In some cases, the first DOM snapshot captured may have an incomplete state (before CSS loads or JavaScript hydrates the page). eConsent automatically handles this:

1. Scans later snapshots for one with a complete DOM (10 or more body nodes).
2. Promotes the best snapshot to the beginning of the replay.
3. Preserves original timestamps for accuracy.

This ensures the replay always starts with a fully rendered page.

Multi-step form support

The recorder handles multi-step forms and wizard-style layouts:

• Tracks the current step/page within a form
• Records tab and step transitions
• Handles visibility changes as steps show/hide
• Supports windowId for multi-window scenarios

Viewing replays

From the dashboard

Navigate to Sessions in your eConsent dashboard at app.econsent.org, then click on any session to view the replay. The player provides:

• A timeline scrubber for navigating the recording
• Play/pause controls
• Playback speed adjustment
• Full session duration and event count

From a certificate

Each certificate includes a QR code and link to its associated session replay. The public replay URL is:

https://app.econsent.org/certificate/public/session/{sessionId}

This public URL can be shared with legal teams, compliance officers, or opposing counsel without requiring dashboard access.

From the certificate public page

The public certificate page at https://app.econsent.org/certificate/{certificateId} includes a QR code that links directly to the session replay.

Integrity verification

Every session recording includes cryptographic integrity verification:

Check	Description
Content hash	SHA-256 hash of the full events array, computed and stored at certificate generation
Verification on replay	Hash is recomputed on retrieval and compared to the stored hash
Tamper detection	Any modification to the recording data invalidates the hash
Status in response	integrity.verified: true/false indicates the verification result

Caution

If a recording’s integrity check fails (integrity.verified: false), the recording may have been corrupted or tampered with. The certificate itself remains valid. The recording hash mismatch is flagged but does not invalidate the certificate’s HMAC signature.

Storage and retention

Session recordings follow the same retention policy as certificates. Configure retention per property under Settings > Properties:

• Session expiration: 7 days, 30 days, 60 days, 1 year, 3 years, or 5 years
• Certificate expiration: Same options, configured independently

Expired sessions are cleaned up automatically by a scheduled job. See Retention Management for details on quotas, auto-retention settings, and MP4 conversion.

Recording data structure

For technical integrations, the recording payload follows this structure:

{
  "events": [
    [windowId, rrwebEvent],
    [windowId, rrwebEvent]
  ],
  "metadata": {
    "sessionId": "uuid",
    "companyId": "company-id",
    "propertyId": "property-id",
    "windowId": "window-id",
    "lastUpdated": "2025-03-18T14:30:00.000Z",
    "totalEvents": 1250,
    "contentSha256": "a1b2c3d4e5f6..."
  }
}

Next steps

• Consent Certificates. Understand the certificate format and generation process
• Retention Management. Configure retention quotas and MP4 conversion
• Verification API. Verify certificates programmatically