One of our software's fundamental principles is not collecting or storing personal information that isn't central to the platform's functionality, and that extends to our use of cookies. We do not foresee this changing.
NOTE: Any major functional changes to our cookies policy and use will appear in our release notes.
Listed below are the cookies that your forum can use.
vf_[your-site]_%
- This cookie is the one that means you are logged in. Delete this cookie and you end your session. This format is just a convention. The
[your-site]
is a string that represents your site and is assigned when your site is spun up. For this site the cookie name is vf_success_%
The %
is a random hash that gets assigned. For the rest of this document, assume that %
represents vf_[your-site]_%
. - Cannot be opted out of.
%-tk
- This token is anonymous and is used for CSRF protection.
- Cannot be opted out of.
%-Vv
- This token is anonymous and is used to track visits. It stores no data other than that the a user has visited the site. When a user visits the site his/her user profile is updated with the lastVisitDate and this cookie is set. This cookie is set to expire in 20 minutes. When ever the page loads we check if this cookie is still active, if it is we add 20 minutes to the expiry date. If it is not, we update the lastVisitDate in the user's profile, we record it as a new visit.
- Cannot be opted out of
%-vA
__vnOz0 and __vnOz1
- These cookies are generated when you have the Who's Online addon or widget enabled. The purpose of this cookie is to tell the application that there is an active guest visitor, someone without a session, that has been active for at least 20 mins. No other data is kept about the user. Every time a user refreshes the page or navigates to another page this cookie is renewed and the visit is considered active. The value of the cookie is just a random hash, it does not contain any data.
- Cannot be opted out of, but sites can opt not to use the Who's Online addon or widget.
__vnf
- This the Troll Management cookie. It is not anonymous and persists after logout. It's not used by anything except the Troll Management addon. It is only initially assigned when users log in and does not apply to users who remain guests.
- This is a randomly-generated ID we use to "fingerprint" users to determine if one user is utilizing multiple accounts on a community. It is not derived from any PII.
- Cannot be opted out of, but sites can disable the Troll Management addon.
vf-%-sid
- This is a "session" cookie (sid = session ID). The value maps to a row in Vanilla's Session table. This table is used to temporarily store information for a user. More often than not, this cookie is created as part of an SSO sign-in (although it can also make an appearance when users initiate the "forgot my password" workflow). Depending on the SSO method, Vanilla might need to "remember" some initial values to complete sign-in, after the user is redirected back to the site from the authentication provider.
- Cannot be opted out of.
vf_hub_ENDTX
- This cookie serves the same purpose as
vf_[your-site]_%
When you are on a forum that is part of a hub/node setup this cookie is set so that the various nodes "know" that you are logged into the hub. - Cannot be opted out of.
vf_node_ENDTX
__cfduid
- Cloudflare uses 2 cookies, both named __cfduid. These live on:
- .v-cdn.net
- Yourforums.vanillacommunities.com
- These are used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.
- For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.
- Cannot be opted out of.
__cfruid -
- Another Cloudflare cookie related to rate limiting
- Basically, it makes sure that different users on the same network (sharing the same IP) doing requests to rate-limited URLs won't be counted as one user in order to avoid rate limiting issues.
- Cannot be opted out of.