HTTP Cookies
Spotfire Server can set the following HTTP cookies on clients that connect over the public HTTP port (default 80/433).
The
Secure attribute is set only if the connection is
HTTPS, not HTTP. To protect against cross-site request forgery (CSRF) attacks,
Spotfire
does not rely on using the
SameSite attribute on cookies.
| Name | Description | Comment |
|---|---|---|
JSESSIONID
|
Session cookie for Spotfire Server. | HttpOnly attribute is set.
|
SF_REMEMBER_ME
|
Cookies used for persistent sessions ("remember me") feature when running Spotfire in a web browser. | HttpOnly attribute is set. See
config-persistent-sessions.
|
SUID
|
Contains the ID of the last authenticated user. It is used to determine whether or not an anonymous session should be created. | HttpOnly attribute is set.
|
XSRF-TOKEN
|
Holds CSRF token. | HttpOnly is not set. A cookie that holds a
CSRF token is passed to JavaScript using a cookie value. This behavior is
intended.
|
zoneCheck
|
Cookie the JavaScript API uses for identifying browser incompatibilities with Spotfire. | HttpOnly is not set. It is not needed,
because it is used by client-side JavaScript code and does not contain
sensitive information.
|