CookieUsage
Various jurisdictions now require, at a minimum, that any cookies set/used by a service be documented. This page describes the various cookies used by the SP software. The SP itself provides no explicit tools for obtaining consent from users for the use of any of them; that is the responsbility of the site using the software.
The names of the various cookies are not documented and are not part of the public API of the software. They can and will change between releases.
Sessions
Whenever a client successfully logs into the SP with a supported protocol, a cookie specific to that user's session is set and used to associate the rest of that session's requests back to the user's login information. The cookie itself contains an opaque, pseudo-random value and no other information. It is a session-bounded cookie, although in many browsers today, session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Session Recovery
An optional feature, off by default, exists to preserve session and limited attribute state on the client to allow sessions to migrate between servers. The data is encrypted under a key held by the SP servers and can be rotated regularly. Access to the key would allow complete recovery of possibly sensitive PII from the cookie. It is a session-bounded cookie, although in many browsers today, session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Relay State
When a client interacts with a protected resource and a request is generated for an IdP, the resource that the client requested MAY be stored in a session cookie with a pseudo-random name. No personal information is included. In recent versions, the use of a cookie for this purpose is no longer the default, but it may be re-enabled and is found in many older configurations. It is a session-bounded cookie, although in many browsers today session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Message Correlation 3.1
A cookie is used to record request identifiers in order to support enforcing response correlation and blocking of unsolicited responses. It is a session-bounded cookie, although in many browsers today session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Form POST State
An optional feature, off by default, exists to preserve form submission data to a protected location if the SP has to interrupt the submission with a request to an IdP. If enabled, the data itself is stored on the server, but a pseudo-random key to identify it is stored in a cookie. No personal information is included in the cookie itself. It is a session-bounded cookie, although in many browsers today, session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
IdP History
The only persistent cookie the SP uses is an optional, off by default, cookie that tracks the set of Identity Providers used by a client to login to the SP. The IdPs are identified by "entityID" and no personal information is included.
Cookie Scope and Properties
The SP uses a setting called cookieProps
 that controls the properties used in the creation of all of the cookies it sets. In particular, whether the cookie is limited to https requests, the domain and path, and other properties such as the HttpOnly flag can be set by the deployer and so will vary between sites. However, by default in the latest version, the cookies are scoped to the fully-qualified host, with a path of "/" (the whole host), and the HttpOnly flag set. They are not marked "secure" by default due to the prevalence of testing done without https, but this is a recommended change.