Cookie policy Formdesk

Introduction

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart). They can also be used to remember pieces of information that the user previously entered into form fields.

Authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie’s data to be read by a hacker, used to gain access to user data, or used to gain access (with the user’s credentials) to the website to which the cookie belongs.

Terminology

Session cookie

A session cookie exists only in temporary memory while the user navigates the website. Web browsers normally delete session cookies when the user closes the browser. Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

Persistent cookie

Instead of expiring when the web browser is closed as session cookies do, a persistent cookie expires at a specific date or after a specific length of time. This means that, for the cookie’s entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to.

Secure cookie

A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). They cannot be transmitted over unencrypted connections (i.e. HTTP). This makes the cookie less likely to be exposed to cookie theft via eavesdropping. A cookie is made secure by adding the secure flag to the cookie.

Http-only cookie

A http-only cookie cannot be accessed by client-side APIs, such as Javascript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (XSRF) attacks. A cookie is given this characteristic by adding the HttpOnly flag to the cookie.

Same-site cookie

In 2016 Google Chrome introduced a new kind of cookie with attribute SameSite. Attribute SameSite can have a value of Strict, Lax or None.

SameSite=Strict: the browsers should only send these cookies with requests originated from the same domain/site as the target domain. This would effectively mitigate XSRF attacks.
SameSite=Lax: would not restrict originating site, but enforce target domain to be the same as cookie domain, effectively blocking third-party (cross-site) cookies.
SameSite=None: would allow third-party (cross-site) cookies.

Formdesk Cookies

session.backend.secure / session.frontend.secure

Stores the logged-in user session information in key-value pairs. The sidn querystring parameter value is the key within this information.
The *.backend.* cookie name is used for the supervisor and users. The *.frontend.* cookie name is used for the visitors of login forms.

SameSite=Strict cannot be used because with redirections from external providers like OIDC providers, signing providers and payment providers, the cookies with the Strict value are not sent with the initial redirect request.

Value: Encrypted
Domain: When a Formdesk domain-the parent formdesk.com domain; When a customer domain: the exact customer domain
Path: Customer folder of forms (e.g. /demo)
Expires: Session
HttpOnly: Yes
Secure: Yes
SameSite: Lax

backend.* / frontend.*

* = the sidn querystring parameter value
This cookie contains none user sensitive application information such as the form id, the item-id, the sort order of forms or results, search terms. The cookie is used to avoid querystring parameter (browser history) pollution. It is not HttpOnly and could not be encrypted because the content is used and manipulated client side in script.

Value: Not encrypted
Domain: Current domain
Path: Customer folder of forms (e.g. /demo)
Expires: Session
HttpOnly: No
Secure: Yes
SameSite: Strict

Settings

This cookie stores persistent settings specific for supervisors and users such as the label filtering on the form summary page. The purpose is equal to the backend.* cookie except that this is a persistent cookie. The stored information is non sensitive and also used in client script which is why it’s not HttpOnly and the content is not encrypted.

Value: Not encrypted
Domain: Current domain
Path: Customer folder of forms (e.g. /demo)
Expires: One year
HttpOnly: No
Secure: Yes
SameSite: Strict

Rvtoken.*

* = the sidn querystring parameter value
This is an Anti-Forgery Request Validation cookie (https://owasp.org/www-community/attacks/csrf). SameSite=Strict cannot be used because with redirections from OIDC-providers the cookies with the Strict value are not sent with the initial redirect request.

Value: Encrypted
Domain: Current domain
Path: Customer folder of forms (e.g. /demo)
Expires: Session
HttpOnly: Yes
Secure: Yes
SameSite: Lax

Open.sidn

This cookie is specific for the login session of a supervisor or user to simply communicate the none sensitive sidn querystring parameter value when opening a form from within the account.

Value: Encrypted
Domain: Current domain
Path: Customer folder of forms (e.g. /demo)
Expires: One year
HttpOnly: Yes
Secure: Yes
SameSite: Lax

*.store

* = Account ID
This cookie applies to forms which use the feature ‘Remember entry’. When this feature is used, Formdesk stores the answer to a question or multiple questions into this cookie. Next time the visitor opens a form from the same account, Formdesk can pre-populate questions on the form. This feature and therefore this cookie is deprecated. The feature can no longer be activated, but forms where the feature was activated in the past will continue to function.