Cookie usage

Content Hub utilizes browser cookies to make user interactions more secure. The following table lists the different cookies used by Content Hub:

Cookie nameScopeDescription
.AspNetCore.Identity.ApplicationAuthenticationUsed for user authentication. This cookie can be configured under Settings > Authentication by updating the CookieName and CookieDomain properties.
Identity.ExternalAuthentication (SSO)Used for external user authentication (SSO). Internal user authentication (without SSO) doesn't use this cookie.
__xRequestedBySecurity (antiforgery)Used as a security measure to prevent cross-site request forgery attacks (CSRF).

Cookie data

The used cookies contain minimal encrypted information about the logged-in user, such as the user ID and the username.

Cookie security

To avoid third parties tampering with these cookies, Content Hub uses Secure/HTTPOnly flags. With the secure flag, cookies are only sent over secure HTTPS connections. The HTTPOnly flag prevents JavaScript from accessing the cookie, providing an extra protection layer against XSS attacks (cross-site scripting).

SameSite compatibility

Content Hub supports the 2019 draft standard for SameSite released in December 2019. The following section explains the compatibility issues caused by the new standard and how Content Hub handles them.

The latest updates by Chrome regarding cookies introduced two main changes:

  • Treat the lack of an explicit SameSite attribute as SameSite=Lax.
  • Require the Secure attribute to be set for any cookie which asserts SameSite=None.

This new SameSite policy is a breaking change, as it modifies the default behavior of cookies when the SameSite attribute is not specified (Lax for browsers adopting the new standard, None for the other ones), causing inconsistencies among browsers.


For more information about SameSite cookies, please see SameSite cookies explained.

To work around this compatibility issue, Content Hub introduced a middleware component that checks the browser being used and that all cookie headers have the correct values. This is based on a SameSiteCompatibility setting that can be configured under Settings > Authentication > SameSiteCompatibility:

        "(CPU iPhone OS 12|iPad; CPU OS 12)",
        "^(?=.\bMacintosh; Intel Mac OS X 10_14\b)(?=.\bVersion/\b)(?=.\bSafari\b).$"

The user_agent_patterns property specifies the browsers (user-agent patterns) that are not compatible with the new SameSite standard.

Can we improve this article ? Provide feedback