Login Page Cookies

Cookies are a critical part of web applications.

When you call certain APIs, such as the Login API, cookies may be set. Such cookies are specified in the API documentation.

When you use the hosted login pages, the hosted backend or interact with the APIs, FusionAuth uses cookies to enable functionality.

Domains#

The domain of all cookies is the domain on which the FusionAuth instance is running. You can control the domain FusionAuth uses by setting up a proxy.

In other words, if FusionAuth serves requests at auth.piedpiper.com, it will only set cookies for this value: auth.piedpiper.com. It will never set cookies for .piedpiper.com. The ability to control the domain of the cookie set is an open feature request.

Additionally, most cookies set by FusionAuth will use the SameSite value of Strict or Lax. This is to protect against Cross-Site Request Forgery (CSRF). Practically, it means a browser will block those cookies on a cross-site request unless the browser is navigating to the origin site from an external site, which is something to consider if you intend to access FusionAuth from a different domain using something like an IFRAME.

Cookies set by the hosted login pages are displayed here for informational purposes only. The name, type and description of each cookie are subject to change.

NameTypeDescription
access_tokenSessionThe access token. Set by the login API.
app.atPersistentThe access token. Set by the hosted backend.
app.at_expPersistentThe access token expiration. Set by the hosted backend.
app.idtPersistentThe Id token. Set by the hosted backend.
app.pkce_vPersistentThe PKCE verifier. Set by the hosted backend.
app.rtPersistentThe refresh token. Set by the hosted backend.
fa.bypass-cSessionImplements security functionality.
fa.bypass-c.csrfSessionImplements security functionality.
federated.csrfSessionImplements security functionality.
fusionauth.app.pkce-verifierRequestUsed to support Proof Key for Code Exchange during login.
fusionauth.csrfSessionImplements security functionality.
fusionauth.flash-messageRequestUsed to display a message across requests.
fusionauth.known-device.*PersistentIdentifies a device known to FusionAuth. More than one cookie may be set.
fusionauth.liSessionUsed to support post-authentication steps during login.
fusionauth.localePersistentThe locale used to localize the themed pages.
fusionauth.pkce-verifierRequestImplements security functionality.
fusionauth.remember-devicePersistentRecords whether the user wants to remain logged in on this device.
fusionauth.ssoPersistentRepresents a single sign-on session.
fusionauth.timezonePersistentThe configured or approximated timezone used to adjust displayed dates and times.
fusionauth.trustPersistentAllows a MFA challenge to be bypassed during login.
fusionauth.trust_cRequestImplements security functionality.
fusionauth.trust_tRequestImplements security functionality.
fusionauth.trusted-device.*PersistentIdentifies a trusted device. More than one cookie may be set.
fusionauth.webauthn-reauth.*PersistentRecords user choices about WebAuthn and passkeys. More than one cookie may be set.
refresh_tokenPersistentThe refresh token when the login API is used.
saml.csrfSessionImplements security functionality.