Authentication API Cookies
The Auth0 Authentication API uses a set of HTTP cookies to enable single sign-on (SSO), multi-factor authentication (MFA), and attack protection capabilities. The table below shows some of the cookies that the Authentication API relies on and describes their purposes:
Cookie | Feature | Purpose |
---|---|---|
auth0 |
Single Sign-on | Used to implement the Auth0 session layer. |
auth0_compat |
Single Sign-on | Fallback cookie for single sign-on on browsers that don’t support the sameSite=None attribute. |
auth0-mf |
Multi-factor Authentication | Used to establish the trust level for a given device. |
auth0-mf_compat |
Multi-factor Authentication | Fallback cookie for multi-factor authentication on browsers that don’t support the sameSite=None attribute. |
a0_users:sess |
Classic Login | Used for CSRF protection in Classic Login flows. |
a0_users:sess.sig |
Classic Login | Used for CSRF protection in Classic Login flows. |
did |
Attack Protection | Device identification for attack protection. |
did_compat |
Attack Protection | Fallback cookie for anomaly detection on browsers that don’t support the sameSite=None attribute. |
Cookies and custom domains
If you are using custom domains, cookies from the Authentication API are sent to the custom host name, or CNAME you set up in the Auth0 Dashboard. Each cookie's domain attribute, which specifies the domain for which the cookie is valid, is defined in the cookie request header and domain-matches with the domain attribute.
If no domain is specified, the domain attribute defaults to the request-host. If you use IETF’s HTTP State Management Mechanism spec to set cookies on the parent domain, the cookie will be shared with all subdomains of the parent domain.
For example, you set your CNAME to login.example_domain.com
as a subdomain of example_domain.com
. You host other applications under the parent domain, such as app1.example_domain.com
and app2.example_domain.com
. When users visit login.example_domain.com
, cookies from app1.example_domain.com
and app2.example_domain.com
may be sent along with requests to Auth0’s Authentication API.
To safeguard our platform and because these cookies may grow to a considerable size and can be shared with other subdomains, Auth0 may reject requests carrying excessively large (multiple kilobytes) headers. Applications should be designed such that excessively large cookies are not sent to the Auth0 Authentication API. To learn more about cookie behavior with custom domains, read Sending Cookies to the Origin Server.