Guide

Cookies and local storage

Suggest Edits

Hosted Login makes use of both cookies and your browser’s local storage as aids in assisting user authentications and in tracking user sessions. Among other things, this means that cookies must be enabled in order for you to log on to Hosted Login. If you disable cookies on your browser, then any attempt to log on to a Hosted Login-powered website results in an error similar to this:

In addition, if you open up your browser’s developer tools you’ll also see a series of error messages like this one:

Request to access cookies or storage on "https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/auth-ui/login?__aic_csrf=YsNcOO0_i5VuoEgL&client_id=87671fe1-6ebd-4ec1-a0d1-9c69dea55db8&code_challenge=vroaWFNHORA49bAOdGO__kstpf7LWzBfeiT6oKUNIIU&code_challenge_method=S256&prompt=login&redirect_uri=https%3A%2F%2Foidc-playground.akamai.com%2Fredirect_uri&response_type=code&scope=openid&state=7ZvzcgylLlpQhYnAzjB7xUmDb-i3pad8NKdvbXgNZi4" was blocked because of custom cookie permission.

So exactly what cookies and what local storage entries does Hosted Login make use of? In this document, we’ll provide a brief overview of the cookies and local storage entries you’re likely to see when logging on to a Hosted Login website. Note that the two cookie-related tables (one for Hosted Login itself and the other for social login)  use the following terminology:

  • HttpOnly. When true, the cookie is not accessible to client-side scripts (for example, scripts that use the JavaScript document.cookie API).

  • Secure. When true, the cookie can only be sent to the server using the HTTPS protocol.

  • SameSite. Specifies how cookies are sent with a cross-site request:

    • If set to Strict, a cookie can only be sent to its origin site. 

    • If set to Lax, a cookie is sent any time a user navigates to the cookie’s origin site. 

    • If set to None, cookies are sent on both origin and cross-site requests, but only if the Secure attribute is set to true.

  • Stores PII (personally identifiable information). If Yes, the cookie value contains information that can be employed to identify the user.

To view these cookies for yourself, go to the Hosted Login sign-screen and locate your browser’s develop tools; for example, in Firefox, click Tools, point to Browser Tools, and then click Web Developer Tools. In the Storage section, look for Cookies and for Local Storage. For example:

Here’s what you can expect to find there.


Hosted Login cookies

CookieDescriptionSample Value
_csrf_tokenRandom string of characters that helps guard against cross-site request forgeries, a type of web attack in which a trusted user is tricked into sending the server  a malicious command. Using the _csrf_token cookie, and requiring all web requests to include this cookie, helps protect sites against cross-site forgeries.

Although we don’t recommend deleting it, this cookie is not required in order to log on.		21af84a3e4a8dcd63ea1c4ead48ad4036ad
1800451e4b5e7945493eb2c7ef726
ak_bmscCookie used to optimize performance, and to improve the user experience, on ​Akamai​ websites.

Although we don’t recommend deleting it, this cookie is not required in order to log on.

HttpOnly: false
Secure: false
SameSite: None
Stores PII: No		3B3981792798731388C615DD918455E~
<000000000000000000000000000000~
YAAQ1KhkaP/UtbV7AQAAGR2wUA1Vy9
DYNNdl/IhAM7wDWZqBaHd8NoVNEKn
N8emw0M1os/fzvZqEUFPA6qAM/TeSb+<br/SVEfzs3JW/95e9KhuD9zf4J867BaCiV
95CFiVKRLXuOM1fiRwqRiZPBoKf6eNMj
A+gPQbgdxlQqdpfzeA8Ac1lwE5y6ShjVd
lrk7mjEniDkc9UAg/OGpybAdEAfAXy5qm
bH6E45+GoaZJYkySdYOZwW8rHdi0eDv8
Az/9Gxyvptc9sv+ccVg+NkZ84pDynR1zZzj
GBuIG/6CJWHSzAHS33lEk7gPDk5FIATUr
bacMrvhByiGjc5q5yX1RFyTWOMdaw7cLi
BW0sT4CNlhRh1KNt8/17l84oLs4qyu4XK
W56YFZ21Ku7QqEnMwJ9xqWM=
{customer_id}Unique identifier for the authentication session. Note that the actual name of this cookie is your ​Akamai​ customer ID. For example: e0a70b4f-1eef-4856-bcdb-f050fee66aae.

Note that you must have either this cookie or the aic_authui_{customer_id} cookie in order to log on. If you delete both cookies, login fails.

HttpOnly: true
Secure: true
SameSite: Lax
Stores PII: No		84308c6a-c40b-4ac8-b09d-0f4cf7afb282
bm_svCookie used by ​Akamai​ Bot Manager to help differentiate between web requests generated by humans and web requests generated by bots or other automated processes.

Although we don’t recommend deleting it, this cookie is not required in order to log on.

HttpOnly: false
Secure: true
SameSite: None
Stores PII: No		41CDD82A3A77D5CCE2B54956EFFBD484~
2v+fgMc/HS3XXYBU8DwOrq6CfX2ufpT4w9
woRIdO0nl7zCUij0wstoi3DYubs+YquYCQ7
WQxx+a5iXEYmA6bTOHqjgAwHDgmdYy+t
d8sYgU8wqCgjNG0oHmvnWE3JyaePt37uro
2bNpZeWSUKFoaYvBFrYs3y1EBXG5nLn9g=
aic_authui_{customer_id}Unique identifier for the authentication session. Note that the actual name of this cookie will be aicauthui plus the ​Akamai​ customer ID (for example, e0a70b4f-1eef-4856-bcdb-f050fee66aae). This means that the cookie name look more like this:

aic_authui_e0a70b4f-1eef-4856-bcdb-f050fee66aae

Note that you must have either this cookie or the {customer_id} cookie in order to log on. If you delete both cookies, login fails.

HttpOnly: true
Secure: true
SameSite: None
Stores PII: No		aic_authui_84308c6a-c40b-4ac8-b09d-0f4cf7afb282
janrainFailedLogins_sessionIf available, and if set to session, indicates that a valid session currently exists on the device.

Although we don’t recommend deleting it, this cookie is not required in order to log on.

HttpOnly: false
Secure: false
SameSite: None
Stores PII: No
janrainCaptureTokenRefresh_sessionEstablishes a Capture widget session. A value of session indicates that a session is currently active.

HttpOnly: false
Secure: false
SameSite: None
Stores PII: No		session

Social login cookies

CookieDescriptionSample Value
login_tabName of the social login identity provider.

HttpOnly: false
Secure: false		amazon
_accelerator_session_idUnique identifier used during login processing. This cookie is automatically deleted when the browser session ends.

HttpOnly: false
Secure: false
janrain_login_startUnique identifier sent to the social login identity provider. This same value should be included in the identity provider’s response.

HttpOnly: true
Secure: false		ojgecfldejbiijidhfjm.F1p_
tA3P_3xL3iCRC96muIjt
akamai_idpd_sessionUnique identifier of the authentication session. Depending on your browser, either janraid_idpd_session or akamai_idpd_session is employed as your session identifier.

HttpOnly: true
Secure: false
SameSite: None		yrtfgecjbmbglaockjtss.nU4
HN9K887HYrCxbHXHnqLu9
janrain_idpd_sessionUnique identifier of the authentication session. Depending on your browser, either janraid_idpd_session or akamai_idpd_session is employed as your session identifier.

HttpOnly: true
Secure: false
yrtfgecjbmbglaockjtss.nU4
HN9K887HYrCxbHXHnqLu9

Hosted Login local storage entries

KeyDescriptionSample Value
janrainCaptureReturnExperienceDataUser data (typically the user’s display name and/or the user’s UUID) retained from the last successful login. If you look at the sign-in screen’s page source, the attribute values stored here can be found by searching for the value of the returnExperienceUserData setting.

Stores PII: Yes		{"displayName": "Karim Nafir"}
janrainCaptureReturnExperienceData_ExpiresDate and time when the return experience data expires. This is typically 5 years from the time when the data was recorded.

Stores PII: No		Sun: 04 Oct 2026 14:34:30 GMT
janrainCaptureToken_ExpiresDate and time when the current access token expires (typically 1 hour after the token was issued). If no valid session is found then this key will not be available.

Stores PII: No		Mon: 04 Oct 2021 15:34:30 GMT
janrainFailedLoginsTracks the number of consecutive failed login attempts for the current device. If this value exceeds the value of the login_attempts setting configured in the application client, then the user will temporarily be prevented from logging on. This helps guard against “brute force” web attacks. 

The cookie value is reset to 0 after a successful authentication.

Stores PII: No		2

Updated 25 days ago