Use of Cookies

Bot Defender Cookies

HUMAN Bot Defender uses the cookies listed in the table below. For best system operation, we recommend to unblock all HUMAN cookies.

Cookie name

Cookie Purpose Description

Type

Expiration

1st or 3rd Party

Category

Note

Size

_pxvid

Used for browser detection and distinguishing whether it is a real user or malicious bot.

JS

1 year

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)

42b

_px* (e.g _px, _px2, _px3)

Used to maintain a session with PerimeterX. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

JS

5.5 minutes

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)
Session ID (uuid)
Time expiration

up to 500b

_pxff_*
(e.g
_pxff_af_c
_pxff_af_rf
_pxff_af_se
_pxff_af_sp
_pxff_af_wp
_pxff_bdd
_pxff_idp_c
_pxff_idp_p
_pxff_wa
_pxff_wow
_pxff_ww
_pxff_tm)

Used to flag features for browser detection and distinguishing whether it is a real user or malicious bot.

JS

1 day

1st Party

Strictly Necessary

all pxff cookies are feature flags for PerimeterX code, including no visitor specific data, but instead - instructions for the PerimeterX code running on the client side.

9b-20b

_pxmvid

User Token (from WebView via mobile SDK integration)

JS

1 hour

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)

43b

_pxhd

Used for server-side detection and distinguishing whether it is a real user or malicious bot.

HTTP

1 year

1st Party

Strictly Necessary

Visitor ID (randomly generated ID)

106b

pxcts

Used to maintain a cross tab session

HTTP

session

1st Party

Strictly Necessary

cross tab session
(randomly generated ID)

43b

_pxde

Data enrichment feature (e.g is the user in access control)

JS

5 days

1st Party

Analytics

Hashed incident type
Hashed access control identification

100b-200b

HttpOnly and Secure Flags

By default, HUMAN cookies are not set with the HttpOnly and Secure flags, for the following reasons:

The HttpOnly flag prevents client-side scripts from accessing cookies. However, Bot Defender uses a Java Script snippet called Sensor, which is embedded in all protected pages. To operate, Sensor needs to access HUMAN cookies.

The Secure flag ensures that cookies are sent over the HTTPS protocol only. However, Bot Defender protects against malicious bots over both HTTPS and HTTP protocols. It also requires cookies to be sent to the server side. Where only HTTPS is used for all the traffic, including APIs, the Secure flag can be set.

It is important to note that HUMAN secures information carried by cookies using all necessary means of protection, including encryption, hash functions, and signatures.