Cookie usage
Learn how Optimizely Content Management System (CMS) SaaS uses cookies.
Cookies are small text files that a browser stores to maintain session state, support security mechanisms, and enable platform functionality. In Content Management System (CMS) (SaaS), these cookies support authentication, security, analytics, and platform operations for administrators and editors who access the CMS UI.
The cookies described in this article
- Apply primarily to administrators and editors.
- Are managed by Optimizely as part of the SaaS platform.
- Are not used to track public website visitors unless explicitly stated.
Cookie scope and responsibility
- Optimizely manages cookies required for CMS (SaaS) functionality, security, analytics, and infrastructure.
- Customers cannot modify or override CMS (SaaS) authentication, security, or infrastructure cookies.
- Customers are responsible for documenting CMS (SaaS) cookies in internal privacy notices provided to administrators and editors.
- Optimizely manages visitor-facing website cookies separately, and their management depends on customer implementation.
Customer configuration capabilities
In Optimizely CMS (SaaS)
Customers can do the following:
- Review and document CMS (SaaS) cookies in internal privacy notices.
- Disable optional analytics features where supported.
Customers cannot do the following:
- Modify authentication, essential, or infrastructure cookies.
- Remove required CMS (SaaS) cookies.
- Change cookie security attributes.
Cookie categories
Optimizely CMS (SaaS) uses cookies in the following categories:
- Essential – Required for authentication, security, and core CMS (SaaS) functionality.
- Functional – Support CMS (SaaS) UI features and workflows.
- Analytics – Collect aggregated usage data to improve product reliability and usability.
- Infrastructure – Support cloud hosting and platform operations.
CMS (SaaS) cookie inventory
The following table lists cookies used by Optimizely CMS (SaaS):
| Cookie name | Category | Purpose | Required | Storage duration | HttpOnly | Applies to |
|---|---|---|---|---|---|---|
epihash | Functional | Preserves URL hash during login redirect to maintain navigation context. | Yes | 5 minutes | No | Administrators |
.ImageEditorFileSize. | Functional | Stores image file size for the CMS (SaaS) Image Editor UI. | Yes | Session | No | Administrators |
.AspNetCore.Antiforgery.* | Essential | Protects the CMS (SaaS) UI against cross-site request forgery (CSRF). | Yes | Session | Yes | Administrators |
oid-login* | Essential | Maintains authentication session for Optimizely Identity. | Yes | Configurable (default: session) | Yes | Administrators |
ajs_user_id | Analytics | Segments user identifier for CMS (SaaS) usage analytics (third party). | No | 1 year | No | Administrators |
ajs_group_id | Analytics | Segments organization identifier for CMS (SaaS) usage analytics (third party). | No | 1 year | No | Administrators |
ajs_anonymous_id | Analytics | Segments anonymous session identifier for CMS (SaaS) usage analytics. | No | 1 year | No | Administrators |
ai_session | Analytics | Routes requests within the Azure cloud environment. | Yes | Session | Yes | All users |
ARRAffinity | Infrastructure | Handles Azure routing cookie with SameSite support. | Yes | Session | Yes | All users |
ARRAffinitySameSite | Infrastructure | Tracks Microsoft Application Insights sessions. | No | 30 minutes | No | All users |
Third-party services CMS (SaaS) uses
Optimizely CMS (SaaS) uses the following third-party services that set cookies:
Microsoft Azure
Provides cloud hosting, routing, and deployment infrastructure. Uses infrastructure cookies such as ARRAffinity.
Microsoft Application Insights
Collects aggregated telemetry and performance data to monitor service health. Uses analytics cookies such as ai_session.
Segment
Collects CMS (SaaS) usage analytics to improve product usability and reliability. Uses analytics cookies such as ajs_*.
Optimizely Identity
Provides authentication and authorization using OpenID Connect (OIDC). Uses authentication cookies such as oid-login*.
SameSite cookie behavior
The SameSite attribute controls when browsers send cookies with cross-site requests. Optimizely CMS (SaaS) applies SameSite and Secure attributes according to current browser requirements.
Supported values include the following:
SameSite=LaxSameSite=StrictSameSite=None(requires HTTPS)
Optimizely manages these attributes at the platform level. Customers cannot configure SameSite behavior for CMS (SaaS) cookies.
Modern browsers enforce stricter cookie handling rules.
- Browsers default to
SameSite=Laxwhen no value is specified. - Cookies that use
SameSite=Nonemust also use theSecureattribute. - Older browsers may not fully support
SameSite.
The Optimizely CMS (SaaS) platform handles these behaviors.
Known limitations
- Browser restrictions may affect cross-domain scenarios that rely on cookies, including embedded
iframes. - Browser-specific limitations may impact certain secured downloads in rare scenarios.
Updated 15 days ago