Hosted Login: Cookies and Local Storage

Hosted Login makes use of both cookies and your browser’s local storage as aids in assisting user authentications and in tracking user sessions. Among other things, this means that cookies must be enabled in order for you to log on to Hosted Login. If you disable cookies on your browser, then any attempt to log on to a Hosted Login-powered website results in an error similar to this:

In addition, if you open up your browser’s developer tools you’ll also see a series of error messages like this one:

Request to access cookies or storage on “https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/auth-ui/login?__aic_csrf=YsNcOO0_i5VuoEgL&client_id=87671fe1-6ebd-4ec1-a0d1-9c69dea55db8&code_challenge=vroaWFNHORA49bAOdGO__kstpf7LWzBfeiT6oKUNIIU&code_challenge_method=S256&prompt=login&redirect_uri=https%3A%2F%2Foidc-playground.akamai.com%2Fredirect_uri&response_type=code&scope=openid&state=7ZvzcgylLlpQhYnAzjB7xUmDb-i3pad8NKdvbXgNZi4” was blocked because of custom cookie permission.

So exactly what cookies and what local storage entries does Hosted Login make use of? In this document, we’ll provide a brief overview of the cookies and local storage entries you’re likely to see when logging on to a Hosted Login website. Note that the two cookie-related tables (one for Hosted Login itself and the other for social login)  use the following terminology:

  • HttpOnly. When true, the cookie is not accessible to client-side scripts (for example, scripts that use the JavaScript document.cookie API).
  • Secure. When true, the cookie can only be sent to the server using the HTTPS protocol.
  • SameSite. Specifies how cookies are sent with a cross-site request:
    •  If set to Strict, a cookie can only be sent to its origin site. 
    • If set to Lax, a cookie is sent any time a user navigates to the cookie’s origin site. 
    • If set to None, cookies are sent on both origin and cross-site requests, but only if the Secure attributeis set to true.
  • Stores PII (personally identifiable information). If Yes, the cookie value contains information that can be employed to identify the user.

To view these cookies for yourself, go to the Hosted Login sign-screen and locate your browser’s develop tools; for example, in Firefox, click Tools, point to Browser Tools, and then click Web Developer Tools. In the Storage section, look for Cookies and for Local Storage. For example:

Here’s what you can expect to find there.


Hosted Login Cookies

Cookie

Description

Sample Value

_csrf_token

Random string of characters that helps guard against cross-site request forgeries, a type of web attack in which a trusted user is tricked into sending the server  a malicious command. Using the _csrf_token cookie, and requiring all web requests to include this cookie, helps protect sites against cross-site forgeries.

Although we don’t recommend deleting it, this cookie is not required in order to log on.

  • HttpOnly: false
  • Secure: true
  • SameSite: Lax
  • Stores PII: No

21af84a3e4a8dcd63ea1c4ead48ad4036ad
1800451e4b5e7945493eb2c7ef726

ak_bmsc

Cookie used to optimize performance, and to improve the user experience, on Akamai websites. 

Although we don’t recommend deleting it, this cookie is not required in order to log on.

  • HttpOnly: true
  • Secure: false
  • SameSite: None
  • Stores PII: No

3B3981792798731388C615DD918455E~
000000000000000000000000000000~
YAAQ1KhkaP/UtbV7AQAAGR2wUA1Vy9n
DYNNdl/IhAM7wDWZqBaHd8NoVNEKnKyF
N8emw0M1os/fzvZqEUFPA6qAM/TeSTpC5+
SVEfzs3JW/95e9KhuD9zf4J867BaCiVySckko
95CFiVKRLXuOM1fiRwqRiZPBoKf6eNMVV+
A+gPQbgdxlQqdpfzeA8Ac1lwE5y6ShjVdTt0
lrk7mjEniDkc9UAg/OGpybAdEAfAXy5qFBAg
bH6E45+GoaZJYkySdYOZwW8rHdi0eDvDi9
Az/9Gxyvptc9sv+ccVg+NkZ84pDynR1zZzj3H
GBuIG/6CJWHSzAHS33lEk7gPDk5FIATUrgb
bacMrvhByiGjc5q5yX1RFyTWOMdaw7cLil6
BW0sT4CNlhRh1KNt8/17l84oLs4qyu4XKAC
W56YFZ21Ku7QqEnMwJ9xqWM=

{customer_id}

Unique identifier for the authentication session. Note that the actual name of this cookie is your Akamai customer ID. For example: e0a70b4f-1eef-4856-bcdb-f050fee66aae.

Note that you must have either this cookie or the aic_authui_{customer_id} cookie in order to log on. If you delete both cookies, login fails.

  • HttpOnly: true
  • Secure: true
  • SameSite: Lax
  • Stores PII: No

84308c6a-c40b-4ac8-b09d-0f4cf7afb282

bm_sv

Cookie used by Akamai Botman Manager to help differentiate between web requests generated by humans and web requests generated by bots or other automated processes. 

Although we don’t recommend deleting it, this cookie is not required in order to log on.

  • HttpOnly: true
  • Secure: false
  • SameSite: none
  • Stores PII: No

41CDD82A3A77D5CCE2B54956EFFBD484~
2v+fgMc/HS3XXYBU8DwOrq6CfX2ufpT4w9
woRIdO0nl7zCUij0wstoi3DYubs+YquYCQ7h
WQxx+a5iXEYmA6bTOHqjgAwHDgmdYy+t6
d8sYgU8wqCgjNG0oHmvnWE3JyaePt37uroc
2bNpZeWSUKFoaYvBFrYs3y1EBXG5nLn9g=

aic_authui_{customer_id}

Unique identifier for the authentication session. Note that the actual name of this cookie will be aic_authui_ plus the Akamai customer ID (for example, e0a70b4f-1eef-4856-bcdb-f050fee66aae). This means that the cookie name look more like this:

aic_authui_e0a70b4f-1eef-4856-bcdb-f050fee66aae

Note that you must have either this cookie or the {customer_id} cookie in order to log on. If you delete both cookies, login fails.

  • HttpOnly: true
  • Secure: true
  • SameSite: None
  • Stores PII: No

84308c6a-c40b-4ac8-b09d-0f4cf7afb282

janrainFailedLogins.session

If available, and if set to session, indicates that a valid session currently exists on the device.

Although we don’t recommend deleting it, this cookie is not required in order to log on.

  • HttpOnly: false
  • Secure: false
  • SameSite: none
  • Stores PII: No

session



Social Login Cookies

Cookie

Description

Sample Value

login_tab

Name of the social login identity provider.

  • HttpOnly: false
  • Secure: false

amazon

_accelerator_session_id

Unique identifier used during login processing. This cookie is automatically deleted when the browser session ends.

  • HttpOnly: true
  • Secure: false


janrain_login_start

Unique identifier sent to the social login identity provider. This same value should be included in the identity provider’s response.

  • HttpOnly: true
  • Secure: false

ojgecfldejbiijidhfjm.F1p_tA3P_3xL3iCRC96muIjt.

akamai_idpd_session

Unique identifier of the authentication session. Depending on your browser, either janraid_idpd_session or akamai_idpd_session is employed as your session identifier.

  • HttpOnly: true
  • Secure: false
  • SameSite: None

yrtfgecjbmbglaockjtss.nU4HN9K887HYrCB
xbHXHnqLu9

janrain_idpd_session

Unique identifier of the authentication session. Depending on your browser, either janraid_idpd_session or akamai_idpd_session is employed as your session identifier.

  • HttpOnly: true
  • Secure: false

yrtfgecjbmbglaockjtss.nU4HN9K887HYrCB
xbHXHnqLu9



Hosted Login Local Storage Entries

Key

Description

Sample Value

janrainCaptureReturnExperienceData



User data (typically the user’s display name and/or the user’s UUID) retained from the last successful login. If you look at the sign-in screen’s page source, the attribute values stored here can be found by searching for the value of the returnExperienceUserData setting.

  • Stores PII: Yes

{"displayName": "Karim Nafir"}

janrainCaptureReturnExperienceData_Expires

Date and time when the return experience data expires. This is typically 5 years from the time when the data was recorded.

  • Stores PII: No

Sun: 04 Oct 2026 14:34:30 GMT

janrainCaptureToken_Expires

Date and time when the current access token expires (typically 1 hour after the token was issued). If no valid session is found then this key will not be available.

  • Stores PII: No

Mon: 04 Oct 2021 15:34:30 GMT

janrainFailedLogins

Tracks the number of consecutive failed login attempts for the current device. If this value exceeds the value of the login_attempts setting configured in the application client, then the user will temporarily be prevented from logging on. This helps guard against “brute force” web attacks. 

The cookie value is reset to 0 after a successful authentication.

  • Stores PII: No

2