Secure cookies

PREREQUISITES: You must have installed SSL on your site and you must have configured all backend pages to require SSL.
For more information, see Configure SSL.

Relying party

To configure the security of the Relying party .AspNet.Cookies cookie, perform the following:

Navigate to Administration » Settings » Advanced.
In the left pane, expand Authenticationand click RelyingParty.
In the Authentication cookie securitydropdown box, select one of the following:
- SameAsRequest
  This is the default value. This way, the cookie is automatically secured, if the site is under SSL.
- Always
  The cookie is always secured and must be served under HTTPS.
- Never
  The cookie is not secured.
Save your changes.

List of cookies

The following table lists cookies that Sitefinity CMS uses.

Legal frameworks such as GDPR require you to receive consent from your site visitors about behavior tracking. In the following table, the cookies which are required for functioning of your Sitefinity CMS site, and thus are always enabled, have the Functional type. You must ensure that the Targeting cookies are switched off when your site visitors decline tracking.
For more information, see Tracking consent and Integrate third-party Tracking consent manager.

Cookie	Description	Expires	Type
`sf-tracking-consent`	Saves the tracking consent choice, made by visitors.	9999 days	Functional
`sf-site`	In multisite environment, remembers the ID of the current site.	2 years	Functional
`sf-prs-ss`	Holds the time of first page visit.	Session	Targeting
`sf-prs-lu`	Saves the landing URL.	Session	Targeting
`sf-prs-vp`	Saves the visited pages that are part of personalization segments.	Session	Targeting
`sf-prs-vu`	Saves the visited URLs that are part of personalization segments.	Session	Targeting
`ASP.NET_ Session` `Id`	Contains information about the browser session and enables visitors to log into the website.	Session	Functional
`.ASPXAUTH`	Determines whether a user is authenticated.		Functional
`.SFAUTH` (configurable)	Used for authentication tickets caching.	600 minutes by default (configurable)	Functional
`.SFROLES` (configurable)	Used to cache user roles.	30 minutes by default (configurable)	Functional
`.SFLOG` (configurable)	Used to pass the reason to login form and to display the reason.		Functional
`.AspNet.` `Cookie s`	The relying party cookie (claims authentication mode) that is used to cache authentication information. You can configure it in the `AuthenticationConfig`. Expiration depends on the Remember me checkbox.	Sliding, 600 minutes or session (configurable)	Functional
`.AspNet.Temp.` `Cookie s`	Helper relying party cookie during authentication.	5 minutes	Functional
`SF-TokenId`	Handles the claims token (claims authentication mode). Could be configured in the `SecurityConfig` file.	118 minutes by default (configurable)	Functional
`sf_timezoneoffset`	Stores the value of the UTC time zone offset for the particular user, that is, the timezone difference between UTC and the user's local time, in minutes. This cookie is stored only for logged in users.	Session	Functional
`sfExpPages_ + rootNodeKey`	Saves the key of the node expanded in the backend.	1 year	Functional
`shoppingCartId`	Holds the ID of the customer's shopping cart.	6 months	Functional
`selectedDisplayCurrency`	Holds the display currency selected by the customer.	Session	Functional
`_mkto_trk`	Used to get the Munchkin token - only for Marketo connector.		Targeting
`sf-abissuesckie`	Used in the issues grid of email campaigns A/B test.	2 years	Functional
`sf-issuesckie`	Used in the issues grid of email campaigns.	2 years	Functional
`cartOrderId`	Used to cache current cart order ID - only if configured.		Functional
`idsrv`	IdentityServer3 cookie used to cache information about the current user. Expiration depends on Remember me checkbox. Configuration in `AuthenticationConfig`.	30 days or session (configurable)	Functional
`OpenIdConnect.nonce`	Used to validate the identity token received from the Identity Provider (IdenityServer). It is a session cookie, but the information contained expires in 1 hour.	Session	Functional
`sf_abtests`	Once you start an A/B test, this cookie stores the IDs of the page variations, already visited by contacts.	30 years	Functional
`sf-data-intell-subject`	Visitor identifier used by Sitefinity Insight. For more information, see Manage cookies.	1 year by default (configurable)	Targeting
`sf-ins-lst-doc-trckd`	Stores the identifier of the last tracked document by Sitefinity Insight.	12 seconds	Targeting
`sf-ins-ssid`	Stores the session identifier used by Sitefinity Insight.	30 minutes by default (configurable)	Targeting
`sf-ins-pv-id`	Stores the page visit identifier used by Sitefinity Insight.	Session	Targeting
`sf_antiforgery`	Used for CSRF protection	5 minutes	Functional

Want to learn more?

Enhance your Sitefinity skills by enrolling in free training sessions. Become Sitefinity certified through Progress Education Community to strengthen your professional credentials.

Get started with Integration Hub | Sitefinity Cloud

This free lesson teaches administrators, marketers, and other business professionals how to use Sitefinity Integration Hub to create automated workflows between Sitefinity and other business systems.

Web Security for Sitefinity Administrators

This free lesson teaches administrators the basics about protecting your Sitefinity instance and your sites from external threats. Configure HTTPS, SSL, allow lists for trusted sites, and cookie security, among others.

Foundations of Sitefinity ASP.NET Core Development

The free on-demand video course teaches developers how to use Sitefinity ASP.NET Core and take advantage of its decoupled architecture and modern development model.