Client-Side Integration

Use of cookies & web storage

HUMAN products use a combination of cookies, local storage, and session storage. For best system operation, we recommend you unblock all HUMAN cookies and local and session storage keys listed below.

Browser cookies

Scroll horizontally or expand to see full table data.

Cookie nameProduct usageDescriptionTypeExpiration1st or 3rd PartyCategorySizeNotes
_px* (e.g _px, _px2, _px3)Sightline Cyberfraud Defense, Bot DefenderUsed to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information.JS5.5 minutes1st PartyStrictly Necessaryup to 500BVisitor ID (randomly generated ID)
Session ID (uuid)
Time expiration
_pxacSightline Cyberfraud Defense, Bot DefenderAllows passing an access token that the Enforcer extracts. If the value matches the Console token, the request is whitelisted.N/AN/AN/AN/AAccess token (Free pass)N/A
_pxdeSightline Cyberfraud Defense, Bot DefenderData enrichment feature (e.g., is the user in access control)JS5 days1st PartyAnalytics100B-200BHashed incident type
Hashed access control identification
_pxff_* (e.g _pxff_af_c, _pxff_af_rf, _pxff_af_se, _pxff_af_sp, _pxff_af_wp, _pxff_bdd, _pxff_idp_c, _pxff_idp_p, _pxff_wa, _pxff_wow, _pxff_ww, _pxff_tm)Sightline Cyberfraud Defense, Bot DefenderUsed to flag features for browser detection and distinguishing whether it is a real user or malicious bot.JS1 day1st PartyStrictly Necessary9B-20BAll pxff cookies are feature flags for HUMAN code, including no visitor-specific data, but instead instructions for HUMAN client-side code.
_pxhdSightline Cyberfraud Defense, Bot DefenderUsed for server-side detection and distinguishing whether it is a real user or malicious bot.HTTP1 year1st PartyStrictly Necessary106BVisitor ID (randomly generated ID)
_pxmvidSightline Cyberfraud Defense, Bot DefenderUser Token (from WebView via mobile SDK integration)JS1 hour1st PartyStrictly Necessary43BVisitor ID (randomly generated ID)
_pxttldSightline Cyberfraud Defense, Bot DefenderDetermines the appropriate domain settings for cookies to enable site-wide detection functionalityJS1 millisecond1st PartyStrictly Necessary8B
_pxvidSightline Cyberfraud Defense, Bot Defender, Code DefenderUsed for browser detection and distinguishing whether it is a real user or malicious bot.JS1 year1st PartyStrictly Necessary42BVisitor ID (randomly generated ID)
pxctsSightline Cyberfraud Defense, Bot Defender, Code DefenderUsed to maintain a cross-tab sessionJSsession1st PartyStrictly Necessary43BCross-tab session
(randomly generated ID). Falls back to local storage if first-party cookies are blocked.
__pxvidCode DefenderUsed to differentiate users for cost purposes as well as counters, such as how many users were exposed to a certain behavior caused by a script. HUMAN can add a secure flag to this cookie upon request.JS1 year1st PartyStrictly Necessary43BVisitor ID (randomly generated ID)
_pxwvmBot Defender, Account DefenderConfigured by the Mobile SDK to indicate to the Sensor that it’s operating within a web view context inside a mobile app.JSsession / 1 year1st PartyStrictly NecessaryN/A
_pxmdBot Defender, Account DefenderContains data from the Mobile SDK related to the current session.JSSession / Session storage1st PartyStrictly NecessaryN/A
_pxdaBot Defender, Account DefenderIndicates that the Doctor App feature is enabled in the Mobile SDK.JSSession1st PartyN/AN/A
_px_mobile_dataBot Defender, Account DefenderContains data from the Mobile SDK related to the current session.JSSession / Session storage1st PartyStrictly NecessaryN/A

Local storage keys

Key nameProduct usageFunctionDescription
_advanced_featuresSightline Cyberfraud Defense, Bot DefenderExecution controlEnsures a specific activity runs only once.
fschSightline Cyberfraud Defense, Bot DefenderWindow events detectionKeeps track of identified events to prevent adding more after identification.
pxctsSightline Cyberfraud Defense, Bot Defender, Code DefenderSession dataStores session data if the browser blocks first-party cookies. Fallback for the browser cookie pxcts.
px-ffSightline Cyberfraud Defense, Bot DefenderFeature flagsHolds feature flags to be kept for next sessions.
px_hvdSightline Cyberfraud Defense, Bot DefenderVisitor identificationThe hashed visitor identifier (VID).
px_22j9f8hlau2f5Code DefenderDynamic mitigationRelevant if you have blocking rules. Updates every time block rules update.
px_33df3rmnerrf5Code DefenderFeature flagsUpdates on every session (every website load).

Session storage keys

Key nameProduct usageFunctionDescription
_pr_cSightline Cyberfraud Defense, Bot DefenderCross-session mappingContains the client’s UUID from the previous session.
px_c_p_Sightline Cyberfraud Defense, Bot DefenderRouting configurationIndicates the last selected path for communicating with collectors.
px_fpSightline Cyberfraud Defense, Bot DefenderDevice fingerprintingStores fingerprint data (used as a fallback if local storage isn’t available).
px_nfspSightline Cyberfraud Defense, Bot DefenderSession entry trackingAn indicator that this is the first page viewed in the session.
pxsidSightline Cyberfraud Defense, Bot DefenderSession managementSession identifier.
pxtimingSightline Cyberfraud Defense, Bot DefenderPerformance metricsKPIs for communication with the backend.
px_11a381f6Code DefenderSession IDSet for every new user (every browser entering the website for the first time). Persists indefinitely for that user.

HttpOnly and Secure Flags

By default, HUMAN cookies are not set with the HttpOnly and Secure flags, for the following reasons:

The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.

The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.

It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.