Use of cookies & web storage
HUMAN products use a combination of cookies, local storage, and session storage. For best system operation, we recommend you unblock all HUMAN cookies and local and session storage keys listed below.
Browser cookies
| Cookie name | Product usage | Description | Type | Expiration | 1st or 3rd Party | Category | Note | Size |
|---|---|---|---|---|---|---|---|---|
_advanced_features | Sightline Cyberfraud Defense, Bot Defender | Used to ensure a specific activity runs only once. | Local storage | None | Both | N/A | N/A | |
_pr_c | Sightline Cyberfraud Defense, Bot Defender | Contains the client's UUID from the previous session. | Session storage | Browser session | Both | N/A | N/A | |
_px* (e.g _px, _px2, _px3) | Sightline Cyberfraud Defense, Bot Defender | Used to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information. | JS | 5.5 minutes | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) Session ID (uuid) Time expiration | up to 500b |
_pxde | Sightline Cyberfraud Defense, Bot Defender | Data enrichment feature (e.g., is the user in access control) | JS | 5 days | 1st Party | Analytics | Hashed incident type Hashed access control identification | 100b-200b |
_pxff_* (e.g _pxff_af_c, _pxff_af_rf, _pxff_af_se, _pxff_af_sp, _pxff_af_wp, _pxff_bdd, _pxff_idp_c, _pxff_idp_p, _pxff_wa, _pxff_wow, _pxff_ww, _pxff_tm) | Sightline Cyberfraud Defense, Bot Defender | Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot. | JS | 1 day | 1st Party | Strictly Necessary | All pxff cookies are feature flags for HUMAN code, including no visitor-specific data, but instead instructions for HUMAN client-side code. | 9b-20b |
_pxhd | Sightline Cyberfraud Defense, Bot Defender | Used for server-side detection and distinguishing whether it is a real user or malicious bot. | HTTP | 1 year | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 106b |
_pxmvid | Sightline Cyberfraud Defense, Bot Defender | User Token (from WebView via mobile SDK integration) | JS | 1 hour | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 43b |
_pxttld | Sightline Cyberfraud Defense, Bot Defender | Determines the appropriate domain settings for cookies to enable site-wide detection functionality | JS | 1 millisecond | 1st Party | Strictly Necessary | 8b | |
fsch | Sightline Cyberfraud Defense, Bot Defender | Part of window events detection; helps keep track of identified events to prevent adding more after identified. | Local storage | None | Both | N/A | N/A | |
px_c_p_ | Sightline Cyberfraud Defense, Bot Defender | Indicates the last selected path for communicating with collectors. | Session storage | Browser session | Both | N/A | N/A | |
px_fp | Sightline Cyberfraud Defense, Bot Defender | Stores fingerprint data (used as a fallback if local storage isn't available). | Session storage | Browser session | Both | N/A | N/A | |
px_hvd | Sightline Cyberfraud Defense, Bot Defender | The hashed visitor identifier (VID). | Local storage | None | Both | N/A | N/A | |
px_nfsp | Sightline Cyberfraud Defense, Bot Defender | An indicator that this is the first page viewed in the session. | Session storage | Browser session | Both | N/A | N/A | |
px-ff | Sightline Cyberfraud Defense, Bot Defender | Holds feature flags to be kept for next sessions. | Local storage | None | Both | N/A | N/A | |
pxsid | Sightline Cyberfraud Defense, Bot Defender | Session identifier. | Session storage | Browser session | Both | N/A | N/A | |
pxtiming | Sightline Cyberfraud Defense, Bot Defender | KPIs for communication with the backend. | Session storage | Browser session | Both | N/A | N/A | |
_pxvid | Sightline Cyberfraud Defense, Bot Defender, Code Defender | Used for browser detection and distinguishing whether it is a real user or malicious bot. | JS | 1 year | 1st Party | Strictly Necessary | Visitor ID (randomly generated ID) | 42b |
pxcts | Sightline Cyberfraud Defense, Bot Defender, Code Defender | Used to maintain a cross-tab session | JS | session | 1st Party | Strictly Necessary | Cross-tab session (randomly generated ID) | 43b |
__pxvid | Code Defender | Used to differentiate users for cost purposes as well as counters, such as how many users were exposed to a certain behavior caused by a script. | JS | 1 year | 1st Party | Strictly Necessary | Vistor ID (randomly generated ID) | 43b |
Local storage keys
| Key name | Product usage | Function | Description |
|---|---|---|---|
px_22j9f8hlau2f5 | Code Defender | Dynamic mitigation | Relevant if you have blocking rules. Updates every time block rules update. |
px_33df3rmnerrf5 | Code Defender | Feature flags | Updates on every session (every website load). |
Session storage keys
| Key name | Product usage | Function | Description |
|---|---|---|---|
px_11a381f6 | Code Defender | Session ID | Set for every new user (every browser entering the website for the first time). Persists indefinitely for that user. |
HttpOnly and Secure Flags
By default, HUMAN cookies are not set with the HttpOnly and Secure flags for the following reasons:
The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.
The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.
It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.
Updated about 17 hours ago