Disclaimer: This website requires Please enable JavaScript in your browser settings for the best experience.

Dev GuideAPI ReferenceUser Guide
HomeDev GuideRecipesAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
Dev Guide
GitHubNuGetDev CommunityOptimizely AcademySubmit a ticket

Cookie usage

Describes the use and management of cookies within Optimizely's CMS and DXP environments, ensuring compliance and optimal functionality for users and developers.

Suggest Edits

Cookies are essential for tracking various website interactions, such as browser sessions. They help websites remember stateful information or record a visitor's browsing activity. In Optimizely, cookies are used on the front end (DXP platform) and back end (CMS application) to enhance functionality and user experience.

  • CMS cookies – Essential for managing content editing and administrative tasks within the CMS. They primarily serve content editors, administrators, and other backend users interacting with the CMS interface. These cookies help maintain user sessions, track content editing activities, and manage admin panel functionalities.
  • DXP cookies – Focused on enhancing the user experience for visitors on the public-facing side of the website. These cookies manage session persistence, load balancing, analytics, and user interactions to deliver optimized digital experiences.

Protect visitor privacy

Website owners are responsible for informing visitors about cookies used, in compliance with EU directives. For information, see Protect Your Visitors' Privacy According to EU Directive on Cookies.

Cookies in CMS

Optimizely Content Management System (CMS) uses specific cookies for essential operations and enhancing user functionality:

  • Essential cookies

    • apt.uid, apt.sid – Used for telemetry data.
    • .AspNetCore.Antiforgery.# – Protects against cross-site request forgery (CSRF), used only by the CMS UI, and is deleted when the browser is closed.
    • .AspNetCore.Identity.Application – Maintains user login sessions.

  • Functionality-related cookies

    • EPi:NumberOfVisits – Tracks page visits for content personalization. It stores the number of times you access pages on the site to allow personalization of content based on the frequency at which the site content is viewed and used with the Number of Visits personalization criterion. This cookie is not set if you remove it from your audiences. It is persistent (1 year from creation).
    • EpiStateMarker – Indicates how session-based information on the visit should be stored, using sessions or cookies.
    • EPiViewedPages – Checks matches of users who, at least once, have visited the selected page that is used with ViewedPagesCriterion under the Site Criteria category of VisitorGroup.
    • ImageEditorFileSize – Used by the Image Editor.

  • Optimizely Forms cookies

  • Third-party marketing-related cookies

    • _utma, _utmb, _utmc, _utmz – Google Analytics cookies are commonly used on Optimizely websites. These third-party cookies collect information about how visitors use the website.

Cookies in DXP

Optimizely Digital Experience Platform (DXP) employs the following required cookies for service operations and user interactions:

  • ARRAffinity – Routes requests within the DXC cloud environment. DXP deletes this cookie when you close your browser.
  • ai_session – A session identifier for Microsoft Application Insights. It collects statistical usage and telemetry information and is a unique anonymous session identifier cookie.
  • ai_user – A user identifier for tracking application access over time.
  • TiPMix – Used in Azure to pin a user session to a deployment slot during deployments.
  • x-ms-routing-name – Used in Azure during deployments to route to deployment slots.

SameSite cookie attribute

The SameSite attribute lets you manage cookie behavior to enhance security, especially in scenarios where sensitive data is involved. You can help protect against Cross-Site Request Forgery (CSRF) attacks. This attribute specifies under what conditions a browser should include cookies in cross-site requests.

  • SameSite=Lax – Cookies are not sent on normal cross-site subrequests (such as loading images or frames into a third-party site) but are sent when a user navigates to the URL from an external site, such as following a link. This is the default setting for many browsers and provides a balance between usability and security.
  • SameSite=Strict – Cookies are only sent in a first-party context, meaning they are not included in requests originating from other sites. This setting offers the most stringent security but can break functionality that relies on cookies for cross-site requests.
  • SameSite=None – Cookies are sent in all contexts, including cross-origin requests. However, to use SameSite=None, the Secure attribute must also be set, meaning the cookie can only be transmitted over HTTPS connections. This setting is used when cross-site requests are necessary, such as for third-party services.

Google Chrome's version 80 updates have affected SameSite cookie attributes:

  • The default setting changes from SameSite="None" to SameSite="Lax".
  • When SameSite="None" is used, Secure must also be specified, requiring HTTPS.

To comply with these changes, Microsoft ASP.NET emits a SameSite cookie header when HttpCookie.SameSite value is None. FormsAuth and SessionState cookies are also issued with SameSite="Lax" instead of the previous default value None as part of this change. For information, see Work with SameSite cookies in ASP.NET.

The policy should work for most websites and cookies. However, websites unable to meet the Lax requirements must change the default values. A limitation with Lax is that it prevents iframe use under another domains while maintaining cookie-based features like authentication and session state.

📘

Note

Older browsers might not support SameSite or implement a different behavior on SameSite.

Configure SameSite for anti-forgery

Configuring the built-in anti-forgery used in Optimizely user interface (requires EPiServer.CMS.Core 11.15):

context.Services.Configure<AspNetAntiForgeryOptions>(options => {  
  options.CookieSameSiteType = SameSiteType.None;
  options.CookieRequireSSL = true;
});

Configure SameSite for forms authentication

Configuring forms authentication to using None and HTTPS\:

<authentication>
  <forms cookieSameSite="None" requireSSL="true" />
</authentication>

Configure SameSite for session state

Configuring session state to using None:

<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>

Configure SameSite default values for cookies

Configuring the default for cookies that do not explicitly use SameSite:

<httpCookies sameSite="None" requireSSL="true" />

Revert behavior of sending SameSite = None to browsers

Revert to the previous behavior of not sending SameSite="None" to browsers:

<appSettings>
  <add key="aspnet:SuppressSameSiteNone" value="true" />
</appSettings>

Known issue

  • A bug in Chrome affects large, secured PDFs when SameSite = Lax for forms authentication.

Related topics

Updated 12 days ago