Product IAM version 2 | Cookie Information

Updated: June 29, 2023

Cookie Information

Cookies are small text files placed on your computer by the websites/application that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site/application.

The use of cookies is now standard for most websites. If you are uncomfortable with the use of cookies, you can normally manage and control them through your browser settings, including removing cookies by deleting them from your 'browser history' (cache) when you leave the site/application.

The cookies used in this service are essential cookies from Microsoft, the authentication service provider.

Types of cookie:

During authentication through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests. Other cookies are used for specific authentication flows or specific client-side conditions.

Persistent session tokens are stored as persistent cookies on the web browser's cookie jar. Non-persistent session tokens are stored as session cookies on the web browser, and are destroyed when the browser session is closed.

Cookies Placed on Product IAM

The following table explains the cookies we place on this application.

Cookie Name	Purpose	Type	Expires or Max Age
brcap	Client-side cookie (set by JavaScript) to validate client/web browser's touch capabilities.	Persistent	90 days
buid	Tracks browser related information. Used for service telemetry and protection mechanisms.	Persistent	90 days
CCState	Contains session information state	Persistent	90 days
ch	ProofOfPossessionCookie. Stores the Proof of Possession cookie hash to the user agent.	Persistent	90 days
clrc	Client-side cookie (set by JavaScript) to control local cached sessions on the client.	Persistent	90 days
esctx	Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser	Session	Entire Session
ESTSAUTH	Contains user's session information to facilitate SSO. Transient.	Session	Entire Session
ESTSAUTH LIGHT	Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature.	Session	Entire Session
ESTSAUTH PERSISTENT	Contains user's session information to facilitate SSO. Persistent.	Persistent	90 days
ESTSSC	Legacy cookie containing session count information no longer used	Persistent	90 days
ESTS SSOTILES	Tracks session sign-out. When present and not expired, with value "ESTSSSOTILES=1", it will interrupt SSO, for specific SSO authentication model, and will present tiles for user account selection.	Persistent	90 days
fpc	Tracks browser related information. Used for tracking requests and throttling.	Persistent	90 days
MSFPC	This cookie is not specific to any ESTS flow, but is sometimes present. It applies to all Microsoft Sites (when accepted by users). Identifies unique web browsers visiting Microsoft sites. It's used for advertising, site analytics, and other operational purposes.	Persistent	90 days
SignInState Cookie	Contains list of services accessed to facilitate sign-out. No user information. Security feature.	Session	Entire Session
stsservice cookie	Cookie used for tracking purposes	Session	Entire Session
wlidperf	Client-side cookie (set by JavaScript) that tracks local time for performance purposes.	Persistent	90 days
x-ms-cpim-cache	Used for maintaining the request state.	Session	Entire Session
x-ms-cpim-csrf	Cross-Site Request Forgery token used for CRSF protection.	Session	Entire Session
x-ms-cpim-sso	Used for maintaining the SSO session. This cookie is set as persistent, when Keep Me Signed In is enabled.	Session	Entire Session
x-ms-cpim-trans	Used for tracking the transactions (number of authentication requests) and the current transaction.	Session	Entire Session
x-ms-gateway-slice	Cookie used for tracking and load balance purposes.	Session	Entire Session
x-ms-Refresh TokenCredential	Available when Primary Refresh Token (PRT) is in use.	Session	Entire Session