Cookie usage

Note

To configure Content Hub, you must either be a superuser or have the necessary permissions granted to you through user group policies.

The following browser cookies are used by Sitecore Content Hub:

Cookie name

Scope

Description

.AspNetCore.Identity.Application

Authentication

Used for user authentication. In the user authentication settings, you can update the CookieName and CookieDomain properties. You can also configure the ExpireTimeSpan and SlidingExpiration values.

Identity.External

Authentication (SSO)

Used for external user authentication (SSO) only.

__xRequestedBy

Security (antiforgery)

Used as a security measure to prevent cross-site request forgery attacks (CSRF).

Cookies used by Content Hub contain minimal encrypted information about the logged-in user, such as the user ID and the username.

Note

To avoid third parties interfering with these cookies, Content Hub uses Secure/HTTPOnly flags. With the secure flag, cookies are only sent over secure HTTPS connections. The HTTPOnly flag prevents JavaScript from accessing the cookie, providing an extra protection layer against cross-site scripting (XSS) attacks.

SameSite compatibility

Content Hub supports the 2019 draft standard for SameSite. Changes to Google Chrome regarding cookies introduced two main changes:

  • Treat the lack of an explicit SameSite attribute as SameSite=Lax.

  • Require the Secure attribute to be set for any cookie which asserts SameSite=None.

This updated SameSite policy was a breaking change, as it modified the default behavior of cookies when the SameSite attribute was not specified (Lax for browsers adopting the new standard, None for the other ones), causing inconsistencies among browsers.

To work around this compatibility issue, Content Hub introduced a middleware component that checks the active browser and verifies that all cookie headers have the correct values.

To configure the SameSiteCompatibility setting:

  1. On the menu bar, click Manage cog icon.

  2. On the Manage page, click Settings.

  3. On the Settings page, using the search box, find Authentication.

The SameSiteCompatibility setting is in the Authentication JSON file:

RequestResponse

"SameSiteCompatibility":{
  "is_enabled":true,
  "user_agent_patterns":[
    "(Chrome/5|Chrome/6)",
    "(CPU iPhone OS 12|iPad; CPU OS 12)",
    "^(?=.\bMacintosh; Intel Mac OS X 10_14\b)(?=.\bVersion/\b)(?=.\bSafari\b).$"
  ]
}

Where:

  • is_enabled- enables or disables SameSiteCompatibility:

    • If enabled, the cookie policy checks whether or not the user agent of the current request matches any of the patterns specified in the user_agent_patterns property and sets the samesite property on cookies accordingly.

    • Default value: true

  • user_agent_patterns- contains the list of regex patterns for which the SameSite property on the cookies is set to Unspecified(-1).

    • Default value:

      RequestResponse
      
      "user_agent_patterns": [
      "(Chrome/5|Chrome/6)",
      "(CPU iPhone OS 12|iPad; CPU OS 12)",
      "^(?=.*\bMacintosh; Intel Mac OS X 10_14\b)(?=.*\bVersion/\b)(?=.*\bSafari\b).*$"
      ]
      
      

Do you have some feedback for us?

If you have suggestions for improving this article,