Use of cookies & web storage | HUMAN Documentation

HUMAN products use a combination of cookies, local storage, and session storage. For best system operation, we recommend you unblock all HUMAN cookies and local and session storage keys listed below.

Browser cookies

Cookie name	Product usage	Description	Type	Expiration	1st or 3rd Party	Category	Note	Size
`_advanced_features`	Sightline Cyberfraud Defense, Bot Defender	Used to ensure a specific activity runs only once.	Local storage	None	Both	N/A		N/A
`_pr_c`	Sightline Cyberfraud Defense, Bot Defender	Contains the client’s UUID from the previous session.	Session storage	Browser session	Both	N/A		N/A
`_px*` (e.g `_px`, `_px2`, `_px3`)	Sightline Cyberfraud Defense, Bot Defender	Used to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	JS	5.5 minutes	1st Party	Strictly Necessary	Visitor ID (randomly generated ID) Session ID (uuid) Time expiration	up to 500b
`_pxde`	Sightline Cyberfraud Defense, Bot Defender	Data enrichment feature (e.g., is the user in access control)	JS	5 days	1st Party	Analytics	Hashed incident type Hashed access control identification	100b-200b
`_pxff_*` (e.g `_pxff_af_c`, `_pxff_af_rf`, `_pxff_af_se`, `_pxff_af_sp`, `_pxff_af_wp`, `_pxff_bdd`, `_pxff_idp_c`, `_pxff_idp_p`, `_pxff_wa`, `_pxff_wow`, `_pxff_ww`, `_pxff_tm`)	Sightline Cyberfraud Defense, Bot Defender	Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot.	JS	1 day	1st Party	Strictly Necessary	All `pxff` cookies are feature flags for HUMAN code, including no visitor-specific data, but instead instructions for HUMAN client-side code.	9b-20b
`_pxhd`	Sightline Cyberfraud Defense, Bot Defender	Used for server-side detection and distinguishing whether it is a real user or malicious bot.	HTTP	1 year	1st Party	Strictly Necessary	Visitor ID (randomly generated ID)	106b
`_pxmvid`	Sightline Cyberfraud Defense, Bot Defender	User Token (from WebView via mobile SDK integration)	JS	1 hour	1st Party	Strictly Necessary	Visitor ID (randomly generated ID)	43b
`_pxttld`	Sightline Cyberfraud Defense, Bot Defender	Determines the appropriate domain settings for cookies to enable site-wide detection functionality	JS	1 millisecond	1st Party	Strictly Necessary		8b
`fsch`	Sightline Cyberfraud Defense, Bot Defender	Part of window events detection; helps keep track of identified events to prevent adding more after identified.	Local storage	None	Both	N/A		N/A
`px_c_p_`	Sightline Cyberfraud Defense, Bot Defender	Indicates the last selected path for communicating with collectors.	Session storage	Browser session	Both	N/A		N/A
`px_fp`	Sightline Cyberfraud Defense, Bot Defender	Stores fingerprint data (used as a fallback if local storage isn’t available).	Session storage	Browser session	Both	N/A		N/A
`px_hvd`	Sightline Cyberfraud Defense, Bot Defender	The hashed visitor identifier (VID).	Local storage	None	Both	N/A		N/A
`px_nfsp`	Sightline Cyberfraud Defense, Bot Defender	An indicator that this is the first page viewed in the session.	Session storage	Browser session	Both	N/A		N/A
`px-ff`	Sightline Cyberfraud Defense, Bot Defender	Holds feature flags to be kept for next sessions.	Local storage	None	Both	N/A		N/A
`pxsid`	Sightline Cyberfraud Defense, Bot Defender	Session identifier.	Session storage	Browser session	Both	N/A		N/A
`pxtiming`	Sightline Cyberfraud Defense, Bot Defender	KPIs for communication with the backend.	Session storage	Browser session	Both	N/A		N/A
`_pxvid`	Sightline Cyberfraud Defense, Bot Defender, Code Defender	Used for browser detection and distinguishing whether it is a real user or malicious bot.	JS	1 year	1st Party	Strictly Necessary	Visitor ID (randomly generated ID)	42b
`pxcts`	Sightline Cyberfraud Defense, Bot Defender, Code Defender	Used to maintain a cross-tab session	JS	session	1st Party	Strictly Necessary	Cross-tab session (randomly generated ID)	43b
`__pxvid`	Code Defender	Used to differentiate users for cost purposes as well as counters, such as how many users were exposed to a certain behavior caused by a script. HUMAN can add a secure flag to this cookie upon request.	JS	1 year	1st Party	Strictly Necessary	Vistor ID (randomly generated ID)	43b

Local storage keys

Key name	Product usage	Function	Description
`px_22j9f8hlau2f5`	Code Defender	Dynamic mitigation	Relevant if you have blocking rules. Updates every time block rules update.
`px_33df3rmnerrf5`	Code Defender	Feature flags	Updates on every session (every website load).

Session storage keys

Key name	Product usage	Function	Description
`px_11a381f6`	Code Defender	Session ID	Set for every new user (every browser entering the website for the first time). Persists indefinitely for that user.

HttpOnly and Secure Flags

By default, HUMAN cookies are not set with the HttpOnly and Secure flags, for the following reasons:

The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.

The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.

It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.