NOTE: Any major functional changes to our cookies policy and use will appear in our release notes.
Listed below are the cookies that your forum can use.
- This cookie is the one that means you are logged in. Delete this cookie and you end your session. This format is just a convention. The
[your-site] is a string that represents your site and is assigned when your site is spun up. For this site the cookie name is
% is a random hash that gets assigned. For the rest of this document, assume that
- Cannot be opted out of.
- This token is anonymous and is used for CSRF protection.
- Cannot be opted out of.
- This token is anonymous and is used to track visits. It stores no data other than that the a user has visited the site. When a user visits the site his/her user profile is updated with the lastVisitDate and this cookie is set. This cookie is set to expire in 20 minutes. When ever the page loads we check if this cookie is still active, if it is we add 20 minutes to the expiry date. If it is not, we update the lastVisitDate in the user's profile, we record it as a new visit.
- Cannot be opted out of
- This token is used for Analytics tracking. EU users have their data anonymized by default.
- We store several pieces of information on this single cookie:
- Privacy Mode - A numeric flag, used to determine how much we anonymize a user's data when tracking analytics. This value is automatic, based on the detected country of origin.
- Session ID - A randomly-generated ID used to track signed-in-user activity. This value is reset between visits to the site.
- Secondary Session ID - A randomly-generated ID used to track events that could include guest data (e.g. page views).
- UUID - A randomly-generated ID used to uniquely identify the user. This ID can persist between site visits but only lives in the user's analytics cookie.
- Cannot be opted out of -- however, sites can disable Vanilla Advanced Analytics.
__vnOz0 and __vnOz1
These cookies are generated when you have the Who's On Line addon or widget enabled. The purpose of this cookie is to tell the application that there is an active guest visitor, someone without a session, that has been active for at least 20 mins. No other data is kept about the user. Every time a user refreshes the page or navigates to another page this cookie is renewed and the visit is considered active. The value of the cookie is just a random hash, it does not contain any data.
- This the Troll Management cookie. It is not anonymous and persists after logout. It's not used by anything except the Troll Management addon. It is only initially assigned when users log in and does not apply to users who remain guests.
- This is a randomly-generated ID we use to "fingerprint" users to determine if one user is utilizing multiple accounts on a community. It is not derived from any PII.
- Cannot be opted out of -- however, sites can disable the Troll Management addon.
- This is a "session" cookie (sid = session ID). The value maps to a row in Vanilla's Session table. This table is used to temporarily store information for a user. More often than not, this cookie is created as part of an SSO sign-in (although it can also make an appearance when users initiate the "forgot my password" workflow). Depending on the SSO method, Vanilla might need to "remember" some initial values to complete sign-in, after the user is redirected back to the site from the authentication provider
- This cookie serves the same purpose as
vf_[your-site]_% When you are on a forum that is part of a hub/node setup this cookie is set so that the various nodes "know" that you are logged into the hub.
- Cannot be opted-out of.
- Cloudflare uses 2 cookies, both named __cfduid. These live on:
- These are used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.
- For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.
- Full description here: https://support.cloudflare.com/hc/en-us/articles/200170156-What-does-the-Cloudflare-cfduid-cookie-do-
- Another Cloudflare cookie related to rate limiting
- Basically, it makes sure that different users on the same network (sharing the same IP) doing requests to rate-limited URLs won't be counted as one user in order to avoid rate limiting issues.