Custom Cookies for AgilePoint NX Portal

Custom cookies enable system administrators to control how information is transferred and stored on a web browser for end users of the AgilePoint NX Portal UI.

Background and Setup

Prerequisites

AgilePoint NX PrivateCloud, or AgilePoint NX OnPremises v9.0 or higher.

How to Start

On the AgilePoint Server machine, in a text editor, open the AgilePoint NX Portal configuration file:
(NX Portal configuration folder - v9.0 and higher) C:\Program Files\AgilePoint\AgilePointPortalInstance\config\web.yaml

Example

"customCookies": {
  "AP_Auth": {
    "path": "/",
    "secure": false,
    "sameSite": "lax"
    }
  "AP_Version": {
    "httpOnly": false,
    "path": "/",
    "secure": false,
    "sameSite": "lax"
    }
}

Custom Cookies

The custom cookies control various ways information is transferred and stored on a web browser.

Good to Know

The custom cookies are configured using the properties described in the Custom Cookie Properties section.

Cookies

Custom Cookie	Definition
AP_Auth	Description: Specifies the authentication cookie for AgilePoint NX Portal. Process Builder and eForm Builder use this cookie to store the authenticated user's session details. The cookie is set after a successful login and removes the details during logout. Default Value: `"customCookies": { "AP_Auth": { "path": "/", "secure": false, "sameSite": "lax" } }` Example: `"customcookies": { "AP_Auth": { "path": "/", "secure": false, "sameSite": "lax" } }`
AP_CODE_VERIFIER_	Description: Specifies the PKCE code-verifier cookie to use during the login flow. It stores the PKCE code_verifier in encrypted format so the authorization server can supply it on the login callback to exchange the authorization code for access tokens. Default Value: `"customCookies": { "AP_CODE_VERIFIER_": { "path": "/", "httpOnly": true, "sameSite": "none", "secure": true } }` Example: `"customcookies": { "AP_CODE_VERIFIER_": { "path": "/", "httpOnly": true, "sameSite": "none", "secure": true } }`
AP_NONCE	Description: Specifies a nonce cookie to prevent replay and token substitution during login callback. It stores a one‑time nonce so the callback can verify the IDP response matches the original authentication request. Default Value: `"customCookies": { "AP_NONCE_": { "path": "/", "httpOnly": true, "sameSite": "none", "secure": true } }` Example: `"customCookies": { "AP_NONCE_": { "path": "/", "httpOnly": true, "sameSite": "none", "secure": true } }`
AP_SESSION_TIMEOUT	Description: Specifies a client-side cookie to track the user session's remaining time for AgilePoint NX Portal so the UI can show a timeout warning or pop-up message. Default Value: `"customCookies": { "AP_SESSION_TIMEOUT": { "path": "/", "httpOnly": false, "secure": false, "sameSite": "lax" } }` Example: `"customcookies": { "AP_SESSION_TIMEOUT": { "path": "/", "httpOnly": false, "secure": false, "sameSite": "lax" } }`
AP_Version	Description: Specifies a client-side cookie that exposes the release version information for AgilePoint NX Portal. This information can be used by AgilePoint components. Default Value: `"customCookies": { "AP_Version": { "httpOnly": false, "path": "/", "secure": false, "sameSite": "lax" } }` Example: `"customcookies": { "AP_Version": { "httpOnly": false, "path": "/", "secure": false, "sameSite": "lax" } }`
UserAuth	Description: Stores the user's session details. An eForm uses this cookie when it is opened in the AgilePoint NX Mobile App. Default Value: `"customCookies": { "UserAuth": { "path": "/" } }` Example: `"customCookies": { "UserAuth": { "path": "/" } }`
UserAuth_ExternalHosting	Description: Specifies a cookie that is used in an anonymous form to store the session details. This cookie can be used by eForm Builder to load the anonymous form and AgilePoint NX Portal on the multifactor authentication page when it is enabled. Default Value: `"customCookies": { "UserAuth_ExternalHosting": { "httpOnly": false, "path": "/" } }` Example: `"customcookies": { "UserAuth_ExternalHosting": { "httpOnly": false, "path": "/" } }`

Custom Cookie Properties

These properties configure the behavior for the AgilePoint NX Portal custom cookies.

Good to Know

Different cookies support different properties. For the properties that are supported for each cookie, see the descriptions in the Custom Cookies section.

Properties

Property	Definition
domain	Description: Specifies the domain name for which the cookie is valid. Allowed Values: A domain name. Example: "domain": "agilepoint.com"
httpOnly	Description: Specifies whether to prevent client-side scripts from accessing the cookie. Allowed Values: true - Prevents client-side scripts from accessing the cookie. false - Client-side scripts can access the cookie. Example: "httpOnly": false
path	Description: Specifies the path for which the cookie is valid. The browser sends the cookie for a request whose path starts with the value specified in this attribute. If the value is /, the cookie is sent on every path on the host. If the value is /docs, the cookie is set only on the /docs subpath. Allowed Values: A relative path that is appended to a URL. Example: "path": "/workcenter/modern"
samesite	Description: Specifies whether a cookie is sent with cross-site requests. Allowed Values: Strict - Sends the cookie only for the same site requests. None - Sends the cookie for both cross-site requests and same-site requests. It must be paired with secure=true in modern browsers. Lax - Sends the cookie on the same site requests and top-level GET requests. Example: "sameSite": "Strict"
secure	Description: Specifies whether the cookie is sent to the server only over HTTPS connections. Allowed Values: true - The cookie is sent to the server only over HTTPS connections. false - The cookie is sent to the server in both HTTP and HTTPS connections. Example: "secure": true