Contents x
    Use of Cookies
    • 13 Nov 2023
    • Print
    • Dark
      Light
    Contents

    Use of Cookies

    • Updated on 13 Nov 2023
    • Print
    • Dark
      Light
    Article Summary

    Bot Defender Cookies

    HUMAN Bot Defender uses the cookies listed in the table below. For best system operation, we recommend to unblock all HUMAN cookies.

    Cookie name

    Cookie Purpose Description

    Type

    Expiration

    1st or 3rd Party

    Category

    Note

    Size

    _pxvid

    Used for browser detection and distinguishing whether it is a real user or malicious bot.

    JS

    1 year

    1st Party

    Strictly Necessary

    Visitor ID (randomly generated ID)

    42b

    _px* (e.g _px, _px2, _px3)

    Used to maintain a session with HUMAN. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

    JS

    5.5 minutes

    1st Party

    Strictly Necessary

    Visitor ID (randomly generated ID)
    Session ID (uuid)
    Time expiration

    up to 500b

    _pxff_*
    (e.g
    _pxff_af_c
    _pxff_af_rf
    _pxff_af_se
    _pxff_af_sp
    _pxff_af_wp
    _pxff_bdd
    _pxff_idp_c
    _pxff_idp_p
    _pxff_wa
    _pxff_wow
    _pxff_ww
    _pxff_tm)

    Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot.

    JS

    1 day

    1st Party

    Strictly Necessary

    all pxff cookies are feature flags for HUMAN code, including no visitor specific data, but instead - instructions for the HUMAN code running on the client side.

    9b-20b

    _pxmvid

    User Token (from WebView via mobile SDK integration)

    JS

    1 hour

    1st Party

    Strictly Necessary

    Visitor ID (randomly generated ID)

    43b

    _pxhd

    Used for server-side detection and distinguishing whether it is a real user or malicious bot.

    HTTP

    1 year

    1st Party

    Strictly Necessary

    Visitor ID (randomly generated ID)

    106b

    pxcts

    Used to maintain a cross tab session

    HTTP

    session

    1st Party

    Strictly Necessary

    cross tab session
    (randomly generated ID)

    43b

    _pxde

    Data enrichment feature (e.g is the user in access control)

    JS

    5 days

    1st Party

    Analytics

    Hashed incident type
    Hashed access control identification

    100b-200b

    HttpOnly and Secure Flags

    By default, HUMAN cookies are not set with the HttpOnly and Secure flags, for the following reasons:

    The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.

    The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.

    It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.

    Was this article helpful?
    What's Next