Use of Cookies
Bot Defender Cookies
HUMAN Bot Defender uses the cookies listed in the table below. For best system operation, we recommend to unblock all HUMAN cookies.
| Cookie name | Cookie Purpose Description | Type | Expiration | 1st or 3rd Party | Category | Note | Size |
|---|---|---|---|---|---|---|---|
_pxvid | Used for browser detection and distinguishing whether it is a real user or malicious bot. | JS | 1 year | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 42b |
_px* (e.g _px, _px2, _px3) | Used to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | JS | 5.5 minutes | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) Session ID (uuid) Time expiration | up to 500b |
_pxff_*(e.g _pxff_af_c _pxff_af_rf _pxff_af_se _pxff_af_sp _pxff_af_wp _pxff_bdd _pxff_idp_c _pxff_idp_p _pxff_wa _pxff_wow _pxff_ww _pxff_tm) | Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot. | JS | 1 day | 1st Party | Strictly Necessary | All pxff cookies are feature flags for HUMAN code, including no visitor-specific data, but instead instructions for HUMAN client-side code. | 9b-20b |
_pxmvid | User Token (from WebView via mobile SDK integration) | JS | 1 hour | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 43b |
_pxhd | Used for server-side detection and distinguishing whether it is a real user or malicious bot. | HTTP | 1 year | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 106b |
pxcts | Used to maintain a cross-tab session | JS | session | 1st Party | Strictly Necessary | Cross-tab session (randomly generated ID) | 43b |
_pxde | Data enrichment feature (e.g., is the user in access control) | JS | 5 days | 1st Party | Analytics | Hashed incident type Hashed access control identification | 100b-200b |
_pxttld | Determines the appropriate domain settings for cookies to enable site-wide detection functionality | JS | 1 millisecond | 1st Party | Strictly Necessary | 8b |
HttpOnly and Secure Flags
By default, HUMAN cookies are not set with the HttpOnly and Secure flags, for the following reasons:
The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.
The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.
It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.
Updated 12 days ago