Common ADFS Cookies

We get a lot of questions around what are the common cookie types that ADFS v2.0 uses.  In both WebSSO and Federated deployments the common cookie types are the same.  Below is a brief overview of what those cookie types are and what processes they are associated with.

  • Authentication/Token cookie (_WebSsoAuth) – This cookie represents the login to a federation resource. This is a session cookie that expires when the user closes the browser session.
  • Home realm discovery (LSRealm) – This is a file-based cookie (the expiry field is set to 30 days by default). Otherwise known as a persistent cookie, this is issued by the relying party’s Federation Server once the user has been successfully authenticated by their claims provider, with a CP-signed token returned to the RP. The purpose of the cookie is to avoid the need for clients to have to go through the whole home realm discovery process every time they try to access a resource.
  • Logout cookie (_LSCleanup) – The _LSCleanup cookie assists in the logout process by keeping track of which federation severs and applications the user has visited. The process sets all the _WebSsoAuth cookies to null. The logout cookie is a session cookie.
  • MSISLoopDetection – Used to detect a client that continually requests a token due to a configuration error on the web server, STS, or client computer.