Vanilla Forums Documentation Technical Considerations

Cookies Used in Vanilla

One of our software's fundamental principles is not collecting or storing personal information that isn't central to the platform's functionality, and that extends to our use of cookies. We do not foresee this changing.

📝 NOTE: Any major functional changes to our cookies policy and use will appear in our release notes.

Listed below are the cookies that your site can use.

vf_[your-site]_%

This cookie means a user is logged in. Delete this cookie and your session will end. This format is just a convention. The [your-site] is a string that represents your site, and is assigned when your site is created. The % is a random hash that gets assigned. For the rest of this article, assume that % represents vf_[your-site]_% .
Users cannot opt out of this cookie.

%-tk

This token is anonymous and is used for CSRF protection.
Users cannot opt out of this cookie.

%-Vv

This token is anonymous, and is used to track visits. It stores no data other than that the a user has visited the site. When a user visits your site, their user profile is updated with the lastVisitDate and this cookie is set.
This cookie is set to expire in 20 minutes. Whenever a page loads, we check whether this cookie is still active; if it is, we add 20 minutes to the expiry date. If it is not, we update the lastVisitDate in the user's profile and record it as a new visit.
Users cannot opt out of this cookie.

%-vA

This token is used for Analytics tracking. EU users have their data anonymized by default.
We store several pieces of information in this single cookie:
- Privacy Mode - A numeric flag, used to determine how much we anonymize a user's data when tracking analytics. This value is automatic, based on the detected country of origin.
- Session ID - A randomly-generated ID used to track signed-in-user activity. This value is reset between visits to the site.
- Secondary Session ID - A randomly-generated ID used to track events that could include guest data (e.g., page views).
- UUID - A randomly-generated ID used to uniquely identify the user. This ID can persist between site visits but only lives in the user's analytics cookie.
Users cannot opt out of this cookie, but sites can disable Vanilla Advanced Analytics.

vnOz0 and vnOz1

These cookies are generated when you have the Who's Online addon or widget enabled. The purpose of this cookie is to tell the application that there is an active guest visitor, someone without a session, that has been active for at least 20 mins. No other data is kept about the user. Every time a user refreshes the page or navigates to another page this cookie is renewed and the visit is considered active. The value of the cookie is just a random hash; it does not contain any data.
Users cannot opt out of this cookie, but sites can opt not to use the Who's Online addon or widget.

__vnf

This cookie is used only for the Troll Management addon. It is not anonymous, and persists after a user logs out. It is only initially assigned when users log in and does not apply to users who remain guests.
This is a randomly-generated ID we use to "fingerprint" users to determine if someone is using multiple accounts. It is not derived from any PII.
Users cannot opt out of this cookie, but sites can disable the Troll Management addon.

vf-%-sid

This is a "session" cookie (sid = session ID). The value maps to a row in Vanilla's Session table. This table is used to temporarily store information for a user. Typically, this cookie is created as part of an SSO sign-in (although it can also make an appearance when users initiate the "forgot my password" workflow). Depending on the SSO method, Vanilla might need to "remember" some initial values to complete sign-in, after the user is redirected back to the site from the authentication provider.
Users cannot opt out of this cookie.

vf_hub_ENDTX

This cookie serves the same purpose as vf_[your-site]_% When a user is logged in to a site that is part of a hub/node setup, this cookie is set so that the various nodes "know" that you are logged into the hub.
Users cannot opt out of this cookie.

vf_node_ENDTX

This replaces the vf_[your-site]_% on any of the nodes of a hub/node setup. All the variations of this cookie are listed above: vf_node_ENDTX-vA, vf_node_ENDTX-tk, vf_node_ENDTX-vV.
Users cannot opt out of this cookie.

__cfduid

Cloudflare uses two cookies, both named __cfduid. These live on:
- .v-cdn.net
- Yourforums.vanillacommunities.com
These are used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.
For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any PII.
Users cannot opt out of this cookie.

__cfruid -

Another Cloudflare cookie related to rate-limiting.
This cookie ensures that different users on the same network (sharing the same IP) doing requests to rate-limited URLs won't be counted as one user in order to avoid rate-limiting issues.
Users cannot opt out of this cookie.