Use of cookies & web storage

HUMAN products use a combination of cookies, local storage, and session storage. For best system operation, we recommend you unblock all HUMAN cookies and local and session storage keys listed below.

Browser cookies

Cookie nameProduct usageDescriptionTypeExpiration1st or 3rd PartyCategoryNoteSize
_advanced_featuresSightline Cyberfraud Defense, Bot DefenderUsed to ensure a specific activity runs only once.Local storageNoneBothN/AN/A
_pr_cSightline Cyberfraud Defense, Bot DefenderContains the client's UUID from the previous session.Session storageBrowser sessionBothN/AN/A
_px* (e.g _px, _px2, _px3)Sightline Cyberfraud Defense, Bot DefenderUsed to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information.JS5.5 minutes1st PartyStrictly NecessaryVisitor ID (randomly generated ID)
Session ID (uuid)
Time expiration
up to 500b
_pxdeSightline Cyberfraud Defense, Bot DefenderData enrichment feature (e.g., is the user in access control)JS5 days1st PartyAnalyticsHashed incident type
Hashed access control identification
100b-200b
_pxff_* (e.g _pxff_af_c, _pxff_af_rf, _pxff_af_se, _pxff_af_sp, _pxff_af_wp, _pxff_bdd, _pxff_idp_c, _pxff_idp_p, _pxff_wa, _pxff_wow, _pxff_ww, _pxff_tm)Sightline Cyberfraud Defense, Bot DefenderUsed to flag features for browser detection and distinguishing whether it is a real user or malicious bot.JS1 day1st PartyStrictly NecessaryAll pxff cookies are feature flags for HUMAN code, including no visitor-specific data, but instead instructions for HUMAN client-side code.9b-20b
_pxhdSightline Cyberfraud Defense, Bot DefenderUsed for server-side detection and distinguishing whether it is a real user or malicious bot.HTTP1 year1st PartyStrictly NecessaryVisitor ID (randomly generated ID)106b
_pxmvidSightline Cyberfraud Defense, Bot DefenderUser Token (from WebView via mobile SDK integration)JS1 hour1st PartyStrictly NecessaryVisitor ID (randomly generated ID)43b
_pxttldSightline Cyberfraud Defense, Bot DefenderDetermines the appropriate domain settings for cookies to enable site-wide detection functionalityJS1 millisecond1st PartyStrictly Necessary8b
fschSightline Cyberfraud Defense, Bot DefenderPart of window events detection; helps keep track of identified events to prevent adding more after identified.Local storageNoneBothN/AN/A
px_c_p_Sightline Cyberfraud Defense, Bot DefenderIndicates the last selected path for communicating with collectors.Session storageBrowser sessionBothN/AN/A
px_fpSightline Cyberfraud Defense, Bot DefenderStores fingerprint data (used as a fallback if local storage isn't available).Session storageBrowser sessionBothN/AN/A
px_hvdSightline Cyberfraud Defense, Bot DefenderThe hashed visitor identifier (VID).Local storageNoneBothN/AN/A
px_nfspSightline Cyberfraud Defense, Bot DefenderAn indicator that this is the first page viewed in the session.Session storageBrowser sessionBothN/AN/A
px-ffSightline Cyberfraud Defense, Bot DefenderHolds feature flags to be kept for next sessions.Local storageNoneBothN/AN/A
pxsidSightline Cyberfraud Defense, Bot DefenderSession identifier.Session storageBrowser sessionBothN/AN/A
pxtimingSightline Cyberfraud Defense, Bot DefenderKPIs for communication with the backend.Session storageBrowser sessionBothN/AN/A
_pxvidSightline Cyberfraud Defense, Bot Defender, Code DefenderUsed for browser detection and distinguishing whether it is a real user or malicious bot.JS1 year1st PartyStrictly NecessaryVisitor ID (randomly generated ID)42b
pxctsSightline Cyberfraud Defense, Bot Defender, Code DefenderUsed to maintain a cross-tab sessionJSsession1st PartyStrictly NecessaryCross-tab session
(randomly generated ID)
43b
__pxvidCode DefenderUsed to differentiate users for cost purposes as well as counters, such as how many users were exposed to a certain behavior caused by a script.JS1 year1st PartyStrictly NecessaryVistor ID (randomly generated ID)43b

Local storage keys

Key nameProduct usageFunctionDescription
px_22j9f8hlau2f5Code DefenderDynamic mitigationRelevant if you have blocking rules. Updates every time block rules update.
px_33df3rmnerrf5Code DefenderFeature flagsUpdates on every session (every website load).

Session storage keys

Key nameProduct usageFunctionDescription
px_11a381f6Code DefenderSession IDSet for every new user (every browser entering the website for the first time). Persists indefinitely for that user.

HttpOnly and Secure Flags

By default, HUMAN cookies are not set with the HttpOnly and Secure flags for the following reasons:

The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.

The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.

It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.