ServiceNow Cookies - Support and Troubleshooting

ServiceNow Cookies Issue Overview This article consists of general information related to cookies usually found with the ServiceNow Platform. Unless otherwise stated, all cookies utilized by the platform are required for correct functionality. Some or all cookies may be present depending on active applications on the Instance.

Table of Contents Overview Summary of Cookies BigIP glide_user glide_user_activity glide_user_route glide_session_store glide_sso_id JSESSIONID glide_user_session BAYEUX_BROWSER __CJ_g_startTime __CJ_tabs2_list or __CJ_tabs2_section sn-chatbot-deviceid glide_language glide_user_edge atf_session_cookie glide_mfa_remembered_browser Cookie Expiration Details Summary of Cookies BigIP The BigIP cookie is used for load-balancing decisions and absolutely no customer data is disclosed.

Issue - Internal IP is disclosed:

The development team has a fix/solution in hand. They have also determined a high-risk impact while implementing a fix all at once. Hence, we are using a phased approach to fix it across all the cloud instances. And as a matter of fact, in order to access anything beyond the load balancers, ServiceNow requires two-factor authentications in addition to internal password policies. Log monitoring is also enabled such that there is an audit trail of transactions performed. As a result, the BIGIP cookie does not currently pose any threat to ServiceNow or any of its customers.

Currently, this issue has been placed as a low priority and has no plans to remediate in the near future.

glide_user The 'glide_user' cookie is a session cookie created by the application to renew the user session each time the session times out. It is only used by the application when the "Remember me" checkbox is ticked at login.

glide_user_activity The glide_user_activity prevents the log-out of an active user who did not opt-in to the 'Remember Me' option. It renews periodically if the user is active during the session. Its presence is to detect if there is any activity being performed on the users' end so that the session won't lock out the user during an active session. It will help the server to refresh the session.

glide_user_route The glide_user_route cookie defines which application server (or node) in the cluster you are going to, so it remains consistent unless otherwise directed/redirected from the load balancer. Briefly, it manages node persistence.

glide_session_store The 'glide_session_store' was added to preserve the session when moving customers from one node to another. Having it enabled will make sure their users are not logged out in case we fail them over from one data center to another. However, it is not recommended but you can disable it by adding the following property:

Name : glide.session.store.enabled Type : True|False Value : false The purpose of the glide_session_store cookie is for the user to recover some of the session states when the main session has been lost, e.g. when the user has been redirected to an instance different from the instance on which the session was established. Whenever a new user session is established, the glide_session_store cookie is updated. Whenever the navigation history changes, the data associated with the glide_session_store cookie is updated. The glide_session_store cookie is not used for authentication and cannot be used to authenticate. It is used only for the partial restoration of the state. Other cookies, however, such as the glide_user_activity cookie, do play a role in authentication.

glide_sso_id The 'glide_sso_id' cookie contains the sys_id of the respective Identity Provider record that the browser client has been associated with. Most of the time, that cookie value is the same as the 'glide.authenticate.sso.redirect.idp' property, however, it can be a different value if customers have different IdPs for various users on their instance. As it is simply an identifier of the IdP and not useful to an attacker, there are no plans to modify the attributes of this cookie.

JSESSIONID The 'JSESSIONID' cookie is a session cookie created by the application when the user first logs into the application and is created by the underlying server to maintain the session attributes of the user session.

glide_user_session The 'glide_user_session' cookie is a session cookie created by the application. When the "Remember Me" checkbox is marked by a user, this and the "glide_user" cookie will be set and utilized by the application to manage user sessions.

BAYEUX_BROWSER The cookie is used by the CometD library that we use in the platform. Bayeux protocol and CometD are used for long polling. Bayeux is a protocol for transporting asynchronous messages, primarily over HTTP. CometD is a scalable HTTP-based event routing bus that uses an AJAX push technology pattern known as Comet. It implements the Bayeux protocol.

Long polling, also called Comet programming, allows the emulation of an information push from a server to a client. Similar to a normal poll, the client connects and requests information from the server. However, instead of sending an empty response if the information isn't available, the server holds the request and waits until the information is available (an event occurs). The server then sends a complete response to the client. The client then immediately re-requests information. The client continually maintains a connection to the server, so it's always waiting to receive a response. In the case of server timeouts, the client connects again and starts over.

For transports based on HTTP ( long-polling and callback-polling ), CometD sends an HTTP cookie with the handshake response, marked as HttpOnly , called BAYEUX_BROWSER (see Configuring the Java Server ). The CometD implementation, on the server, maps this cookie to a legit session id during the processing of the handshake request message. For every subsequent message, the browser will send the BAYEUX_BROWSER cookie to the server and the CometD implementation will retrieve the session id from legit sessions that have been mapped to the cookie, rather than from the message (where it could have been altered).

Reference: Cometd.org .

__CJ_g_startTime The "__CJ_g_startTime" cookie is set by certain UI pages to mark the loading start time of a page and does not contain any sensitive information.

__CJ_tabs2_list or __CJ_tabs2_section There can be multiple cookies prefixed by __CJ_tabs2_list_* and __CJ__tabs2_section_*. These cookies are set by certain UI pages to mark the loading of various tabs & sections on a page and do not contain any sensitive information. The tabs2 cookies are set by the form's tabs code and read by it to restore the user's preferred section or related list tab on the next form load. Without them, a user will have their section and related list tabs reset to the first one on each form load.

sn-chatbot-deviceid This is a session management cookie related to chat functionality. It is a JavaScript-based UUID and does not contain any sensitive or user-identifiable information.

glide_language This cookie is set when the 'com.glide.sys.glide_language_cookie_enabled' property is enabled. The cookie contains a language ID used for the correct localization of guest users and does not contain sensitive information.

glide_user_edge This cookie contains information related to the user's time zone, date time format, and date format, which is utilized when Edge Encryption Proxy is enabled and does not contain sensitive information. This cookie is destroyed when the session is terminated.

atf_session_cookie This cookie is utilized by the Automated Testing Framework when the property 'sn_atf.runner.enabled' is set. It is used for rollback recording.

glide_mfa_remembered_browser This cookie is utilized when 'glide.authenticate.multifactor.remember.browser.enable" is set to 'true'. The cookie is used in the context of multifactor authentication to associate with a browser so that multifactor authentication is not continually required. The cookie value is a secure randomly generated string. The cookie validity is bounded by the property 'glide.authenticate.multifactor.browser.fingerprint.validity'.

glide_node_id_for_js glide_node_id_for_js is a non-HttpOnly cookie which is introduced in Vancouver release , that is used internally to support weighted load balancing features. It is used to migrate a web socket connection to the same node as the HTTP connection whenever HTTP connection is migrated to the new node. It doesn’t contain any sensitive information and is hashed using SHA-256.

Cookie Expiration Details Cookie Default Duration Additional Notes BigIP Session glide_user 15 days This cookie is relevant when the “remember me” checkbox is enabled. The duration for cookie expiration can be tuned with the ”glide.ui.user_cookie.life_span_in_days” system property. https://docs.servicenow.com/csh?topicname=sc-session-window-timeout.html glide_user_activity Session glide_user_route 2 31 -1 seconds (roughly 24, 855 days) Please note that some web browsers enforce a maximum limit for the lifespan of a cookie, and the values observed in certain web browsers may be much lower. For example, in the Google Chrome web browser a maximum limit of 400 days is applied.

glide_session_store 30 minutes glide_sso_id 6004 days Please see the note for "glide_user_route" above, associated to web browser limits. JSESSIONID Session glide_user_session Session This cookie is relevant when the “remember me” checkbox is enabled. BAYEUX_BROWSER Session __CJ_g_startTime 1 hour __CJ_g_tabs2_list or __CJ_tabs2_section 1 hour sn-chatbot-deviceid Session glide_language Session glide_user_edge Session atf_session_cookie Session glide_mfa_remembered_browser 8 hours The duration for cookie expiration can be tuned with the “glide.authenticate.multifactor.browser.fingerprint.validity” system property. https://docs.servicenow.com/csh?topicname=mfa-properties.html Release Vancouver

Resolution NA