DXP cookies
Describes cookies and how they are used by the different products and features in the Optimizely platform.
A cookie is a small piece of data sent from a website and stored by the web browser on a visitor's computer while browsing a website. The main purpose of a cookie is for websites to remember stateful information or to record a visitor's browsing activity.
Cookies are usually small text files stored locally in the browser directory or program data subfolders. The website stores a corresponding file (with the same ID tag).
Optimizely Digital Experience Platform (DXP) uses the following cookies for various purposes.
ARRAffinity– Required. It routes the request through a web browser to the same machine in the DXC cloud environment. See ARRAffinity - Microsoft Azure. DXP deletes this cookie when you close your browser.ai_session– Used with Microsoft Application Insights, it collects statistical usage and telemetry information and is a unique anonymous session identifier cookie.ai_user– Used with Microsoft Application Insights, it collects statistical usage and telemetry information and is a unique user identifier cookie for counting the number of users accessing an application over time.TiPMix– Used in Azure to pin a user session to a deployment slot during deployments.x-ms-routing-name– Used in Azure during deployments to route to deployment slots.
For information about other cookies used in the Optimizely platform, see Optimizely platform cookies for Optimizely Content Management System (CMS) 12.
Cookies and Optimizely
Select the following sections to see how users use cookies in other parts of the Optimizely platform.
SameSite cookies attributes
With version 80, Google Chrome implemented the changes the IETF has proposed for the SameSite cookie attribute. These are:
- The default cookie setting without a
SameSiteattribute changes fromSameSite="None"toSameSite="Lax". - When using
SameSite="None", you must also specifySecure. Otherwise, the cookie is rejected.Securerequires communication over HTTPS.
To comply with these changes, Microsoft ASP.NET emits a SameSite cookie header when HttpCookie.SameSite value is None. FormsAuth and SessionState cookies are also issued with SameSite="Lax" instead of the previous default value None as part of this change.
See Work with SameSite cookies in ASP.NET for documentation on the changes in ASP.NET.
Known issue - PDF preview for secured PDF
A bug in Chrome affects large PDFs with restricted access when SameSite = Lax for forms authentication.
Troubleshoot
The policy should work for most websites and cookies. Websites that cannot comply with the requirements of Lax have to change the default values. An example of a limitation with Lax is that you cannot iframe the site under another domain and still use cookie-based features such as authentication and session state.
Note
Older browsers might not support
SameSiteor implement a different behavior onSameSite.
Configure SameSite for anti-forgery
Configuring the built-in anti-forgery used in Optimizely user interface (requires EPiServer.CMS.Core 11.15):
context.Services.Configure<AspNetAntiForgeryOptions>(options => {
options.CookieSameSiteType = SameSiteType.None;
options.CookieRequireSSL = true;
});
Configure SameSite for forms authentication
Configuring forms authentication to using None and HTTPS\:
<authentication>
<forms cookieSameSite="None" requireSSL="true" />
</authentication>
Configure SameSite for session state
Configuring session state to using None:
<sessionState cookieSameSite="None" cookieless="false" timeout="360">
</sessionState>
Configure SameSite default values for cookies
Configuring the default for cookies that do not explicitly use SameSite:
<httpCookies sameSite="None" requireSSL="true" />
Revert behavior of sending SameSite = None to browsers
Revert to the previous behavior of not sending SameSite="None" to browsers:
<appSettings>
<add key="aspnet:SuppressSameSiteNone" value="true" />
</appSettings>
Related topics
Updated 11 days ago