Khoros Cookies Datasheet (Communities, Care, and Marketing)

7 Kudos

Cookies are small data files stored in web browsers to track usage and enable useful services and features on Khoros Communities. This document provides information on the standard cookies set by Khoros Communities and how to reject or delete those cookies should users choose to do so. Understand that restricting cookies can have an adverse impact on the functionality and the online user experience on the Community.

We classify the cookies typically found on Khoros communities into the four broad categories described below.

Type	Classification	Description	Example
1	Strictly necessary	These cookies are necessary for the proper functioning of the community, such as tracking a user session, or accessing secure areas.	Session cookie used to pin a logged-in session to a browser
2	Performance	The information these cookies collect is anonymous and is used to collect aggregate data including information about the pages users visit.	Cookies delivered by Omniture WebAnalytics and Google Analytics for purposes of aggregate reporting
3	Functional	These cookies allow websites to remember preferences and settings, such as your username, language, region, font size, and so on.	Cookie used to hold a user’s username as part of a “remember me” feature
4	Tracking, targeting and sharing	These cookies remember that you've visited a website, a particular web page, and/or track your activities on the site. This information is sometimes shared with third party advertisers for serving targeted online advertising or other personalized content.	Cookies used to track visitor activity on an individual basis can be used by Khoros or its third party business partners to serve personalized content, and/or later aggregated and used to analyze website traffic and trends.

How to control cookies

Some cookies are necessary for the proper operation of the Community and disabling or removing them may have an adverse impact on the proper functioning and user experience. However, users may choose to view, block, or remove cookies set by Khoros Community through their web browser settings (or any website cookies for that matter). Consult the help feature for your specific browser to find how. Here are some useful links for your convenience.

Also, you may choose to consult an external and independent third party website such as AboutCookies.org or www.youronlinechoices.eu/ if you are in the European Union which provides comprehensive information on a variety of browsers and how to control or change their respective privacy settings.

Cookies used by Khoros

The following standard cookies are used by:

Khoros Communities
Community Analytics
Khoros Care
Khoros Marketing
CX Insights
Khoros Bot
Atlas

Turning off or removing these cookies may have an adverse impact on the proper functioning and user experience on the Community.

Khoros Communities cookies

Cookie Name	Type	Description and Purpose	Expiration Time/Type	If removed, disabled, or not accepted
AWSALB	1	AWS sticky session cookie required for load balancer routing. See this document for further information.	Request	Sticky session won't work and some functionality will break.
AWSALBCORS	1	For continued stickiness support with CORS use cases after the Chromium update, we are creating additional stickiness cookies for each of these duration-based stickiness features named AWSALBCORS (ALB). See https://forums.aws.amazon.com/ann.jspa?annID=7413 for further information.	Request
_ga	2	Distinguishes users using a unique ID. It is used by Google Analytics to calculate visitor, session, and campaign data. By default, the configuration setting that sets this cookie is disabled. File a Support ticket to request enablement.	2 years (persistent)	Visitor and session data will not be tracked and will not be available to Google Analytics
!lithiumSSO:{client_id}	1	Used for passing authentication information to Khoros This cookie is a cancel cookie. Khoros sets this cookie so that we don't re-read the original lithiumSSO cookie set with SSO.	session	SSO will not be functional for the user
LiSESSIONID	1	Session management	session	User cannot log in, and is treated as an anonymous user
lia.anon.{setting or config name}	3	Stores community-wide configurations and settings for anonymous users	1 year (persistent)	Community behavior will follow defaults and any UI convenience changes made by the user will be ignored.
liSdkOptions:{communityId}	3	Dropped when a Studio user navigates to Studio > Advanced > SDK and clicks Submit after checking the View as anonymous checkbox. The cookie allows developers to sign out of the community but still have it find the URL to use for rendering a skin that is hosted via the Community Plugin SDK. This cookie is used only on stage sites.	1 month or when the View as anonymous checkbox is unselected	The community will serve the URL for the skin set on the stage site instead of the URL to the locally hosted skin (so local SASS development will not work when the user is signed out)
lithium.anonymous. usersetting.{setting name}	3	Remembers user preferences	1 year (persistent)	The community will not remember the user’s setting preferences
lithium.anonymous. usersetting.profile. language	3	Remembers language preferences	1 year (persistent)	The community will not remember the user’s language preferences. The language will default to the native language defined for the community.
lithiumLogin:{community id}	3	Keeps users logged in when they make a request after their session has expired. It is triggered when a user checks Save login name and password. The cookie is encrypted and includes a unique user secure ID in the database.	30 days (persistent)	The "auto login" and "remember me" features will not work
LithiumNotifications	3	Temporarily stores Realtime Notification messages (Toast messages)	session	Realtime notification toasts may not appear (pop-up) after a page transition.
LithiumUserInfo	1	Session management	session	The user will not be able to view secure pages and will be redirected to the login page
LithiumUserSecure	1	Secure Session management	session	The user will not be able to view secure pages and will be redirected to the login page.
LithiumVisitor	1	Replaces VISITOR_BEACON. Khoros currently uses both for backward compatibility. This cookie computes billing visits, registered billing visits, visits, registered visits, and unique visitors metrics. The cookie is encrypted and stores when it was first issued, when it was last seen by Khoros, an unique visitor ID (which is unique per visitor’s browser).	Configurable (Default = 10 years) Note: To change the default value, contact Khoros Support.	Visits and unique visitors metrics will not be accurate. There will be a new billable visit on each new request. Customers on billing visits model will be affected.
P{poll_id}U{user_id}R{reset_count}	3	Tracks when a user has voted in a poll and tracks the answer value. The cookie is used to prevent a user from voting multiple times in a single poll. The cookie is only placed if Use cookies to prevent multiple votes is enabled in Community Admin.	1,000000+ days (persistent)	If the user is an anonymous user, the user will be able to vote multiple times when the cookie is cleared. If the user is logged in, votes, and then clears the cookie, they are not allowed to revote.
PushyAuthToken	1	Authenticates the user for a session with Realtime Notifications service (Pushy)	Manually cleared when the user logs out or when their session expires due to inactivity	WebSocket connections to the Realtime Notification service will fail with a 403 Forbidden error and the user will not see realtime notifications.
VISITOR_BEACON	1	Computes billing visits, registered billing visits, visits, registered visits, and unique visitors metrics. The cookie is encrypted and stores, when it was first issued, when it was last seen by Khoros, the user ID, and its own unique ID.	Configurable (Default = 10 years) Note: To change the default value, contact Khoros Support.	Visits and unique visitors metrics will not be accurate. There will be a new billable visit on each new request. Customers on billing visits model will be affected.
VISITORID	1	Distinguishes between human and bot traffic	3 years (session)	Defeats the bot detection mechanism. (May see increased spam on the community.)
ValueSurveyParticipation	3	Stores a timestamp storing the creation time of this cookie, which is used in value survey trigger logic.	Default is 90 days. Configurable in Community Admin	The user will get multiple prompts to take a survey
ValueSurveyVisitorCount	3	Stores the survey visit count of the user, which is used in logic that determines when a survey is triggered. This cookie is used in conjunction with the ValueSurveyParticipation cookie. When the ValueSurveyParticiation is set, the count for ValueSurveyVisitorCount cookie is reset to 0.	Expires when the ValueSurveyParticipation cookie is either set or expires	The user will not be prompted to take a survey until the count defined in the Delay before prompting user with survey field in Community Admin > Features > Value Surveys > Settings is met.
LithiumCookiesAccepted	1	Stores the information of whether the user has given the explicit consent by clicking "Accept" on the cookie banner to drop Type 2, Type 3 & Type 4 cookies. This cookie will store '1' if the user has explicitly clicked "Accept" in the cookie banner and store '2' if user clicked "Reject".	Ten years (persistent). This cookie is not session specific and will be maintained across sessions.	This cookie is not governed by any separate config or setting. Hence it cannot be disabled. But if removed from the browser, the cookie banner will appear again and type 2, type 3 & type 4 cookies will not be dropped unless the user clicks on "Accept" again
_pendo_meta.*	4	Cookie is used by Communities to show in-app feature guides in the "Community Admin" section	Persistent	None
_pendo_accountId.*	4	Cookie is used by Communities to show in-app feature guides in the "Community Admin" section	Persistent	None
_pendo_visitorId.*	4	Cookie is used by Communities to show in-app feature guides in the "Community Admin" section	Persistent	None
mPulse	2	mPulse enables real-time performance monitoring and analysis of the community and helps improve over...	7 days	The mPulse tools and dashboards from within Akamai will no longer contain the relevant real user measurement data.
JSESSIONID	2	Cookie is used to store a session identifier in order to monitor session counts for a community inst...	Session	Session data would be missing from New Relic, which could lead to difficulty in identifying and solving performance related issues with a community instance.

Community Analytics cookies

Cookie Name	Type	Description and Purpose	Expiration Time/Type	If removed, disabled, or not accepted
SIP\|ws	3	Tracks the workspace to redirect to after a session timeout	1 day
All Khoros Community cookies also apply to Community Analytics

Khoros Care cookies

Cookie Name	Type	Description and Purpose	Expiration Time/Type	If removed, disabled, or not accepted
X-TOKEN-ID	1	Protects against cross-site scripting	Session	This is a security token. It is critical for the application to run
PLAY_SESSION	1	This is the main session cookie	Session	This is the main session cookie. It is critical for the application to run
__sdx_page	3	Stores the user’s current application tab	14 days	When a user reloads the page, the user is redirected to the default tab instead of to the last tab used in the application
PLAY_LANG	3	Retrieves the user’s language	14 days	This is used only when LSW cannot detect the browser language and a user has no language set
Khoros Care Analytics cookies
Cookie Name	Type	Description and Purpose	Expiration Time/Type	If removed, disabled, or not accepted
XSessionID	1	This is the main session cookie	24 hours	This is the main session cookie. It is critical for the application to run
JSESSIONID	3	This is an auto-generated JSP cookie	Session	The application does not rely on this cookie but uses the cookie occasionally to auto-generate UUIDs
Care Publisher cookies
Cookie Name	Type	Description and Purpose	Expiration Time/Type	If removed, disabled, or not accepted
TOCOMA-CID	1	The user’s main session cookie	Expires when the browser session ends	The application will not run

Khoros Marketing cookies

In addition to the _ga cookie used by Khoros Communities (see the “Khoros Communities cookies” chart above), Khoros Marketing also uses the following cookies:

Note: Khoros Experiences customers can set additional cookies on websites where they publish visualizations created by the Khoros product, in addition to the standard cookies disclosed below. These cookies are set by social networks when a user signed in to the social network visits the website.

Description and Purpose	Cookie Name	Type	Expiration Time/Type	Consequence if removed, disabled, or not accepted
sf-ui.login.spredfast.com	3 - Functional	Expanded user auth info	Persistent	None
sfauth-login.spredfast.com	1 - Strictly necessary	User Auth Info	12 hours	Users cannot use the products
sfjwt-login.spredfast.com	1 - Strictly necessary	User Auth Info	12 hours	Users cannot use the products
sfcsrf-login.spredfast.com	1 - Strictly necessary	Cross-site request protection	12 hours	Users cannot use the products
sfsig-login.spredfast.com	1 - Strictly necessary	User Auth Info signature	12 hours	Users cannot use the products
_ga	2- Functional	Google Analytics - Used to distinguish users.	2 years	None
_gid	2- Functional	Google Analytics - Used to distinguish users.	24 hours	None
_gat	2- Functional	Google Analytics - Used to throttle request rate. If Google Analytics is deployed via Google Tag Man...	1 minute	None
_pendo_accountId.*	4 - Tracking, targeting and sharing	Cookie is used by marketing software for user analytics	Persistent	None
_pendo_meta.*	4 - Tracking, targeting and sharing	Cookie is used by marketing software for user analytics	Persistent	None
_pendo_visitorId.*	4 - Tracking, targeting and sharing	Cookie is used by marketing software for user analytics	Persistent	None
PHPSESSID	1 - Strictly necessary	Only contain a reference to a session stored on the web server. No information is stored in the user's browser and this cookie can only be used by the current web site.	Session	Users cannot use the product
csrf_token	1 - Strictly necessary	Cross-site request protection	Session	Users cannot use the product
campaignTab	3 - Functional	Used to track and restore last tab in Initiative Settings	Session	None
_tweetriver_session	1 - Strictly necessary	Only contain a reference to a session stored on the web server. No information is stored in the user's browser and this cookie can only be used by the current web site.	24 hours	Users cannot use the product
_tweetriver_session	1 - Strictly necessary	Only contain a reference to a session stored on the web server. No information is stored in the user's browser and this cookie can only be used by the current web site.	24 hours	Users cannot use the product
mr_inst_token	3 - Functional	Allows users to like an Instagram status from Vizzes	Session	Users cannot like an Instagram status from Vizzes
mr_pauth_t	1 - Strictly necessary	Redirects the user after photo share	Session	User will not be redirected after sharing a photo
poll-user-id	3 - Functional	Tracks a random user id for submitting to a poll (so repeat votes can be tracked).	Session	Duplicate poll votes cannot be tracked.
redirectToOldModeration	3 - Functional	Redirects the user to old stream moderation tool	Session	May be deprecated or non-functioning at this time

CX Insights cookies

Khoros CX Insights is a comprehensive customer experience analysis platform that ingests data from any source: owned or public, structured or unstructured, voice or text, and transforms that disparate data into a single set of insights that any team can use to improve the customer experience. CX Insights organizes and enhances data from any customer interaction with customizable learning algorithms and speech analytics that enable CX leaders to drive continuous improvement across their organization. In addition to the AWSALBCO and AWSALB cookies used by Khoros Communities (see the “Khoros Communities cookies” chart above), CX Insights also uses the following cookies:

Cookie Name	Type	Description and Purpose	Expiration Time/Type	Consequence if removed, disabled, or not accepted
returnTo	3	Tracks the url to return to on future login	5 minutes	User will always be returned to the default page after login
token	3	authentication token	15 minutes	The application will not function
expiration	3	token used to communicate with client side for remaining time until forced logout	15 minutes	The application will not function
error-data	3	contains information for responding to server errors	no expiration	Decreased functionality regarding error reporting
connect.sid	1	Hold users serverside session for the web application	15 minutes	Reporting feature will not function
qlikmetricsld	1	Tracks metrics selected within reporting visualizations	Session	Reporting feature will not function
X-Qlik-Session-SAML	1	SAML session token for BI feature	Session	Reporting feature will not function

Customer and third-party cookies on Khoros communities

Khoros customers may set additional cookies on Khoros Community in addition to the standard cookies disclosed above. These cookies are set and controlled by Khoros customers and their affiliates for various purposes such as website usage tracking (very common practice) and targeting for surveys or advertising in some cases. Khoros does not control the dissemination of such cookies. If you need more information on which additional cookies are set on the Community you are visiting, visit the community’s privacy section. You may also wish to review the How to control cookies section to view, remove, or block certain cookies. Note that disabling or removing cookies may have an adverse impact on the proper functioning of the community, and certain features may become disabled or unavailable.

Cookies set by third-party and external sites

Communities may contain embedded images, videos, and links to external and third-party websites. Khoros customers may also include syndicated content on their communities such as banner ads and similar embedded objects from their affiliates and partners. As a result, when you click on such an object you may be presented with cookies from the owner of that respective website where the content is hosted. Khoros does not control the dissemination of such cookies. Contact the relevant third party website for their privacy policy and cookie information. Note that disabling or removing cookies may have an adverse impact on the proper functioning of the community, and certain features may become disabled or unavailable.

Khoros Bot Cookies

Khoros recently acquired Flow.ai which provides Intent Detection and Suggested Responses in Enterprise Architecture and uses the following cookies in the provided cookie bar when accepted by the website visitor:

Cookie Name	Location	Description	Type
Cloudfire	Dashboard	The cookie is used by CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	Strictly necessary
Google Analytics	Dashboard	The cookie is used by Google analytics to calculate visitor, session, campaign data, user interaction with the website and keep track of site usage for the site''s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.	Performance
Stripe	Dashboard	This cookie is used to enable payment on the website without storing any payment information on a server.	Strictly necessary

Atlas cookies

In addition to the AWSALBCO, AWSALB, _ga, LiSESSIONID, LithiumVisitor and VISITOR_BEACON cookies used by Khoros Communities (see the “Khoros Communities cookies” chart above) Khoros Atlas Community also uses the following cookies:

Cookie Name	Type	Description and Purpose	Expiration Time/Type
__cfduid	Necessary	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	1 month
_hjFirstSeen	Analytics	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.	30 minutes
_gat_UA-134360776-2	Other	No description	1 minute
_gat_UA-134360776-3	Other	No description	1 minute
_hjTLDTest	Other	No description	session
_hjid	Other	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.	1 year
Munchkin Javascript Tracking API	4	Tracking of end-user page visits. Tracking of clicks to specific landing pages and external web pages.	720 days, and we're currently supporting Do Not Track functionality

Contact Khoros

For Privacy related requests email privacy [at] khoros [dot] com. Use a secure communication method such as PGP or SMIME for sharing sensitive information.
Find Khoros's Privacy Policy at http://www.lithium.com/privacy.
For Security related requests email security [at] khoros [dot] com. Use a secure communication method such as PGP or SMIME for sharing sensitive information.
Read about our Security Testing and Reporting Policy at https://www.lithium.com/security.
For sales related and general inquiries, contact your designated Account Manager or visit our website at http://www.lithium.com

luk · ‎10-02-2018

@SuzieH Do you know if the

lithium.anonymous.usersetting.<setting.name>

cookie is still used by the current version of Lithium or if all the setting cookies for anonymous users were moved/migrated to

lia.anon.<setting.name>

cookies?

If both variations are still in use, could you elaborate on the difference and how/when/where they would be created (e.g. what action of an anonymous user would trigger cookie creation)?

It furthermore seems, that certain URL parameters seem to trigger some action that will then create cookie(s), but not always, for example:

https://<community>.tld?profile.language=fr

will create a cookie

lia.anon.profile.language (with value "fr")

if the value in the URL param is changed, the value will change in the cookie as well, BUT ONLY when not logged in / anonymous. We discovered this, because we had very strange behaviour in a multi language community. When users log out (which is when that cookie kicks in) and they have been in another language part of the community before they logged in, they will stay in the section of the community the logged out from, but their UI will change to the language of the community section they have visited before logging in, resulting in a mix of languages.

The question is: Is it a general "feature" that global settings for anonymous users can be set via URL parameters (that will then be saved into cookie values) or is this a bug or some other sort of functionality I'm not aware of?

Also, when does the cookie writing happen, the code handling it seems to run AFTER the page init script and therefore overrides any language specific logic that is performed there.

Third, is there a possibility (probably trough support) to enable/disable that cookie setting logic for certain settings?

CeliaB · ‎10-02-2018

Hi! I have forwarded your questions to Rahul Hari in product management for response.

luk · ‎10-02-2018

@CeliaB thank you!

Lindsey · ‎11-06-2019

Where is the configuration setting that sets the _ga cookie?

luk · ‎11-13-2019

@Lindsey don't expect to many answers here...see my question above from last year^^

SuzieH · ‎11-13-2019

Hi @luk. I didn't see that @RahulHa never got back to you. Let me see what I can do. @Lindsey I'm also going to try to track down your answer as well.

Lindsey · ‎11-13-2019

Thank you! @SuzieH

SuzieH · ‎11-13-2019

Hi @Lindsey. The configuration setting that enables the _ga cookie is an internal config that must be enabled by Khoros Support. Please file a Support ticket and request that they enable the GoogleAnalytics config for your community.

Lindsey · ‎11-13-2019

@SuzieH ok, I figured it might be internal since I could not find it anywhere. Thank you!

SuzieH · ‎11-14-2019

@luk You probably no longer need this, but here is what Engineering replied with regarding lithium.anonymous.usersetting.<setting.name>. Hopefully, the information will be useful to someone in the future.

Do you know if the "lithium.anonymous.usersetting.<setting.name>" cookie is still used by the current version of Lithium or if all the setting cookies for anonymous users were moved/migrated to "ia.anon.<setting.name>"cookies?

Community honours only “lia.anon.*”

Default set of settings allowed with the above cookie -

0 = "community.browser_support_alert_dismissed"

1 = "config.search_auto_complete_enable"

2 = "integratedprofile.cta_add_topics_dismissal_timestamp"

3 = "integratedprofile.cta_connect_slim_dismissal_timestamp"

4 = "integratedprofile.cta_connect_wide_dismissal_timestamp"

5 = "integratedprofile.cta_manage_topics_dismissal_timestamp"

6 = "integratedprofile.cta_personalized_feed_dismissal_timestamp"

7 = "integratedprofile.my_interests_dismissal_timestamp"

8 = "layout.linear_in_thread_sort"

9 = "layout.threading_order"

10 = "p13n.cta.recommendations_feed_dismissal_timestamp"

11 = "profile.enable_search_before_post"

12 = "profile.kudos_giver_leaderboard_time"

13 = "profile.kudos_message_leaderboard_time"

14 = "profile.kudos_user_leaderboard_time"

15 = "profile.language"

16 = "profile.stream_discussion_style"

17 = "profile.stream_display_type"

18 = "profile.stream_sort_order"

19 = "profile.url_homepage"

Is it a general "feature" that global settings for anonymous users can be set via URL parameters (that will then be saved into cookie values) or is this a bug or some other sort of functionality I'm not aware of?

It is a general feature, enabled by default through an internal config. This is enabled by default, but it can be changed via a Support ticket.

is there a possibility (probably trough support) to enable/disable that cookie setting logic for certain settings?

It is either completely enabled or disabled; individual cookie configs aren’t available

STARFLEET · ‎01-30-2020

Hi guys,

although i have already created a dedicated support ticket, i guess this could be also relevant for the community:

We are facing issues in regards to the "Share"-Button of Khoros. As you might already know, Khoros is using AddThis functionality for sharing articles and posts.

AddThis already updated there solution in regards to being compliant with the GDPR ruleset and once a user is clicking they explicit consent of a user is asked for.

The Problem:
Every Khoros Layout including the Share Button component will already set AddThis related cookies, before the user is clicking on the share-Button and before the user has any chance to give consent. From a GDPR perspective this is really critical.

To give you a proof that the mentioned cookies are not related to one of our communities, here is a link for an article within this Khoros community:

https://community.khoros.com/t5/Khoros-Community-Discussions/NPS-other-survey-methodology/td-p/56440...

When visiting the mentioned url, you can easily find the cookies __atuvc and __atuvs belonging to AddThis and before you clicked any share button.

Both mentioned cookies are also not listed here in the cookie policy, as it is a cookie set by AddThis not directly via Khoros.

But it will be delivered via the Khoros pages and this makes it again critical.

STARFLEET

RahulPa · ‎06-09-2020

@STARFLEET

Our engineers have already come up with a way to hide these cookies. The visibility of these cookies (__atuvc and __atuvs) was treated as a bug and the fix is available in v20.5 of the community so these cookies will not be visible in the browser's dev tools after v20.5 upgrade.

CKummer · ‎02-25-2021

Maybe someone can help me. We have done a scan and found two very similar cookies:

!lithiumSSO
lithiumSSO*

The first one is listed above. But for what stands the second one?

SuzieH · ‎02-25-2021

Hi @CKummer.The lithiumSSO* cookie is the original cookie set by SSO. The !lithiumSSO cookie is a cancel cookie. Khoros sets that cookie so that we don't read the original lithiumSSO cookie again. technically, Khoros only sets !lithiumSSO and not lithiumSSO. That is why the cookie datasheet only calls out the cancel cookie. Hope that helps.

CKummer · ‎02-26-2021

@SuzieH Thank you for quick quick reply. Helps me a lot. 🙂

Khoros Cookies Datasheet (Communities, Care, and Marketing)