Use of Cookies
HUMAN products use the cookies listed in the table below. For best system operation, we recommend to unblock all HUMAN cookies.
Cookie name | Product usage | Cookie Purpose Description | Type | Expiration | 1st or 3rd Party | Category | Note | Size |
---|---|---|---|---|---|---|---|---|
_pxvid | Bot Defender, Code Defender | Used for browser detection and distinguishing whether it is a real user or malicious bot. | JS | 1 year | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 42b |
__pxvid | Code Defender | Used to differentiate users for cost purposes as well as counters, such as how many users were exposed to a certain behavior caused by a script. | JS | 1 year | 1st Party | Strictly Necessary | Vistor ID (randomly generated ID) | 43b |
_px* (e.g _px, _px2, _px3) | Bot Defender | Used to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | JS | 5.5 minutes | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) Session ID (uuid) Time expiration | up to 500b |
_pxff_* (e.g _pxff_af_c _pxff_af_rf _pxff_af_se _pxff_af_sp _pxff_af_wp _pxff_bdd _pxff_idp_c _pxff_idp_p _pxff_wa _pxff_wow _pxff_ww _pxff_tm) | Bot Defender | Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot. | JS | 1 day | 1st Party | Strictly Necessary | All pxff cookies are feature flags for HUMAN code, including no visitor-specific data, but instead instructions for HUMAN client-side code. | 9b-20b |
_pxmvid | Bot Defender | User Token (from WebView via mobile SDK integration) | JS | 1 hour | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 43b |
_pxhd | Bot Defender | Used for server-side detection and distinguishing whether it is a real user or malicious bot. | HTTP | 1 year | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 106b |
pxcts | Bot Defender, Code Defender | Used to maintain a cross-tab session | JS | session | 1st Party | Strictly Necessary | Cross-tab session (randomly generated ID) | 43b |
_pxde | Bot Defender | Data enrichment feature (e.g., is the user in access control) | JS | 5 days | 1st Party | Analytics | Hashed incident type Hashed access control identification | 100b-200b |
_pxttld | Bot Defender | Determines the appropriate domain settings for cookies to enable site-wide detection functionality | JS | 1 millisecond | 1st Party | Strictly Necessary | 8b |
HttpOnly and Secure Flags
By default, HUMAN cookies are not set with the HttpOnly and Secure flags, for the following reasons:
The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.
The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.
It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.
Updated 19 days ago