Secure cookies

PREREQUISITES: You must have installed SSL on your site and you must have configured all backend pages to require SSL.
For more information, see Configure SSL

Relying party

To configure the security of the Relying party .AspNet.Cookies cookie, perform the following:

  1. Navigate to Administration » Settings » Advanced.
  2. In the left pane, expand Authentication and click RelyingParty.
  3. In the Authentication cookie security dropdown box, select one of the following:
    • SameAsRequest
      This is the default value. This way, the cookie is automatically secured, if the site is under SSL.
    • Always
      The cookie is always secured and must be served under HTTPS.
    • Never
      The cookie is not secured.
  4. Save your changes.

List of cookies

The following table lists cookies that Sitefinity CMS uses.

Cookie Description Expires
sf-trckngckie Logs the page visit. 180 days
sf-tracking-consent Saves the tracking consent choice, made by visitors. 9999 days
sf-site In multisite environment, remembers the ID of the current site. 2 years
sf-prs-ss Holds the time of first page visit. Session
sf-prs-lu Saves the landing URL. Session
sf-prs-vp Saves the visited pages that are part of personalization segments. Session
sf-prs-vu Saves the visited URLs that are part of personalization segments. Session
ASP.NET_SessionId Contains information about the browser session and enables visitors to log into the website. Session
.ASPXAUTH Determines whether a user is authenticated.
.SFAUTH (configurable) Used for authentication tickets caching. 600 minutes by default (configurable)
.SFROLES (configurable) Used to cache user roles. 30 minutes by default (configurable)
.SFLOG (configurable) Used to pass the reason to login form and to display the reason.
.AspNet.Cookies The relying party cookie (claims authentication mode) that is used to cache authentication information. You can configure it in the AuthenticationConfig. Expiration depends on the Remember me checkbox. Sliding, 600 minutes or session (configurable)
.AspNet.Temp.Cookies Helper relying party cookie during authentication. 5 minutes
SF-TokenId Handles the claims token (claims authentication mode). Could be configured in the SecurityConfig file. 118 minutes by default (configurable)
sf_timezoneoffset Stores the value of the UTC time zone offset for the particular user, that is, the time zone difference between UTC and the user's local time, in minutes. This cookie is stored only for logged in users. Session
sfExpPages_ + rootNodeKey Saves the key of the node expanded in the backend. 1 year
selectedDisplayCurrency Holds the display currency selected by the customer. Session
_mkto_trk Used to get the Munchkin token - only for Marketo connector.
VisitorsCounterUniqueId Used for counting web visits as a unique parameter. Persistent
sf-abissuesckie Used in the issues grid of email campaigns A/B test. 2 years
sf-issuesckie Used in the issues grid of email campaigns. 2 years
cartOrderId Used to cache current cart order ID - only if configured.
idsrv IdentityServer3 cookie used to cache information about the current user. Expiration depends on Remember me checkbox. Configuration in AuthenticationConfig. 30 days or session (configurable)
OpenIdConnect.nonce Used to validate the identity token received from the Identity Provider (IdenityServer). It is a session cookie, but the information contained expires in 1 hour Session
sf_abtests Once you start an A/B test, this cookie stores the IDs of the page variations, already visited by contacts. 30 years
sf-data-intell-subject Visitor identifier used by Sitefinity Insight.
For more information, see Manage cookies.
1 year by default (configurable)
sf-ins-lst-doc-trckd Stores the identifier of the last tracked document by Sitefinity Insight. 12 seconds
sf-ins-ssid Stores the session identifier used by Sitefinity Insight. 30 minutes by default (configurable)
sf-ins-pv-id Stores the page visit identifier used by Sitefinity Insight. Session

Increase your Sitefinity skills by signing up for our free trainings. Get Sitefinity-certified at Progress Education Community to boost your credentials.

Get started with Integration Hub | Sitefinity Cloud | Sitefinity SaaS

This free lesson teaches administrators, marketers, and other business professionals how to use the Integration hub service to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting yor Sitefinity instance and its sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity .NET Core and leverage its decoupled architecture and new way of coding against the platform.

Was this article helpful?