Secure cookies
PREREQUISITES: You must have installed SSL on your site and you must have configured all backend pages to require SSL.
For more information, see Configure SSL.
Claims authentication
The .AspNet.Cookies
is the cookie of the relaying party. The cookie of the STS depends on the protocol you use. It is one of the following:
-
idsrv
For OpenID Connect.
.ASPXAUTH
For WRAP/SWT.
Relying party
To configure the security of the Relying party .AspNet.Cookies
cookie, perform the following:
- Navigate to Administration » Settings » Advanced.
- In the left pane, expand Authentication and click RelyingParty.
- In the Authentication cookie security dropdown box, select one of the following:
- SameAsRequest
This is the default value. This way, the cookie is automatically secured, if the site is under SSL.
- Always
The cookie is always secured and must be served under HTTPS.
- Never
The cookie is not secured.
- Save your changes.
STS (OpenID Connect)
In OpenId Connect, the Security Token Service cookie idsrv
is always configured as SameAsRequest.
STS (WRAT/SWT)
To secure the STS cookie in WRAP/SWT, perform the following:
- Open the
web.config
file of the STS webapp.
- Inside section
<system.web>
, find <authentication mode="None" />
and replace it with the following:
- Save and close the
web.config
and restart the application.
The .ASPXAUTH
cookie is secured.
- Run your project and clear all browser cookies.
Forms authentication
The .SFAUTH
is the cookie connected to Forms authentication.
To secure the .SFAUTH
cookie, perform the following:
- In Sitefinity CMS backend, click Administration » Settings » Advanced » Security.
- Select AuthCookieRequireSsl checkbox.
- Restart the application.
- Run your project and clear all browser cookies.
List of cookies
The following table lists cookies that Sitefinity CMS uses.
Legal frameworks such as GDPR require you to receive consent from your site visitors about behavior tracking. In the following table, the cookies which are required for functioning of your Sitefinity CMS site, and thus are always enabled, have the Functional type. You must ensure that the Targeting cookies are switched off when your site visitors decline tracking.
For more information, see Tracking consent and Integrate third-party Tracking consent manager.
Cookie |
Description |
Expires |
Type |
sf-tracking-consent |
Saves the tracking consent choice, made by visitors. |
9999 days |
Functional |
sf-site |
In multisite environment, remembers the ID of the current site. |
2 years |
Functional |
sf-prs-ss |
Holds the time of first page visit. |
Session |
Targeting |
sf-prs-lu |
Saves the landing URL. |
Session |
Targeting |
sf-prs-vp |
Saves the visited pages that are part of personalization segments. |
Session |
Targeting |
sf-prs-vu |
Saves the visited URLs that are part of personalization segments. |
Session |
Targeting |
ASP.NET_SessionId |
Contains information about the browser session and enables visitors to log into the website. |
Session |
Functional |
.ASPXAUTH |
Determines whether a user is authenticated. |
|
Functional |
.AspNet.Cookies |
The relying party cookie (claims authentication mode) that is used to cache authentication information. You can configure it in the AuthenticationConfig . Expiration depends on the Remember me checkbox. |
Sliding, 600 minutes or session (configurable) |
Functional |
.AspNet.Temp.Cookies |
Helper relying party cookie during authentication. |
5 minutes |
Functional |
SF-TokenId |
Handles the claims token (claims authentication mode). Could be configured in the SecurityConfig file. |
118 minutes by default (configurable) |
Functional |
sf_timezoneoffset |
Stores the value of the UTC time zone offset for the particular user, that is, the timezone difference between UTC and the user's local time, in minutes. This cookie is stored only for logged in users. |
Session |
Functional |
sfExpPages_ + rootNodeKey |
Saves the key of the node expanded in the backend. |
1 year |
Functional |
_mkto_trk |
Used to get the Munchkin token - only for Marketo connector. |
|
Targeting |
sf-abissuesckie |
Used in the issues grid of email campaigns A/B test. |
2 years |
Functional |
sf-issuesckie |
Used in the issues grid of email campaigns. |
2 years |
Functional |
sf_abtests |
Once you start an A/B test, this cookie stores the IDs of the page variations, already visited by contacts. |
30 years |
Functional |
sf-data-intell-subject |
Visitor identifier used by Sitefinity Insight. |
1 year by default (configurable) |
Targeting |
sf-ins-lst-doc-trckd |
Stores the identifier of the last tracked document by Sitefinity Insight. |
12 seconds |
Targeting |
sf-ins-ssid |
Stores the session identifier used by Sitefinity Insight. |
30 minutes by default (configurable) |
Targeting |
sf-ins-pv-id |
Stores the page visit identifier used by Sitefinity Insight. |
Session |
Targeting |
sf_antiforgery |
Used for CSRF protection |
5 minutes |
Functional |