Cookie Policy
This page describes the cookies used for login and session security in the IT Folder application.
Last updated: August 29, 2025Scope
This Cookie Policy covers cookies used by the IT Folder web application (e.g.,
app.itfolder.com) for authentication and security only. We do not set
advertising cookies. Public marketing pages may operate with no cookies or only strictly necessary
cookies.
What Are Cookies?
Cookies are small text files placed on your device by your browser at the request of a website. They are widely used to keep you signed in, enable site functionality, and protect your account.
How We Use Cookies (Login Only)
Essential Authentication & Security Cookies
These cookies are strictly necessary to sign you in, keep you signed in securely, and protect your account from cross‑site request forgery (CSRF). Without them, you cannot log in or use the application.
Note: We do not use CSRF tokens on the /login,Passkey,
SSO, and MFA verification endpoints. Those endpoints are unauthenticated or use a one‑time flow.
After you successfully authenticate, we set a CSRF cookie for state‑changing requests inside the
app.
Cookies We Set
| Cookie | Purpose | Type | Duration | Attributes |
|---|---|---|---|---|
| access_token | Opaque token that maps to your JWT session. Keeps you signed in during an active session. Automatically refreshed when you're actively using the application. | Session (essential) | 10 minutes (rolling; refreshed automatically on activity) | Secure; HttpOnly; SameSite=Strict;
Path=/; HTTPS only.
|
| refresh_token | Long-lived token used to automatically refresh your access token. Enables "keep me signed in" functionality across browser restarts. | Persistent (essential) | 7 days | Secure; HttpOnly; SameSite=Strict;
Path=/; HTTPS only.
|
| csrf_token | Cross-site request forgery protection token. Set after successful authentication. Used
with matching X-CSRF-Token header for state-changing requests.
|
Session (essential) | 30 days (matches session lifetime for compatibility) | Secure; SameSite=Strict; HttpOnly=false (readable
by JavaScript); Path=/; HTTPS only.
|
Session behavior:
- Active use: Access token refreshes automatically every ~8 minutes while you're using the app
- Session limits: Maximum of 5 concurrent sessions per user account
- Inactivity: Sessions expire based on your organization's configured idle timeout, or 30 days for "remember me" sessions
- Device tracking: Basic device information (browser, platform, masked IP) stored for security monitoring
Device Information Collection
For security and session management, we collect minimal device information including:
- Browser type (e.g., "Chrome", "Firefox") - extracted from detailed browser data
- Platform (e.g., "macOS", "Windows")
- IP address - stored in full for security logs and session validation
- Masked IP address - network prefix only (e.g., "192.168.x.x") stored with session data for privacy
- Timezone and language for user experience
- Basic mobile/desktop detection
We do not collect high-entropy identifiers like exact screen resolution or detailed browser version numbers. Device information is used solely for session security, detecting suspicious login attempts, and providing a better user experience.
Session Timeout
Your session will automatically expire based on your organization's configured idle timeout, or after 30 days if you selected "remember me" during login. The access token refreshes automatically while you're actively using the application, but stops refreshing during periods of inactivity.
Data Retention
Session data and device information are automatically deleted when:
- You explicitly log out
- Your session expires due to inactivity (based on organization settings or 30 days for "remember me")
- Your refresh token expires (7 days, or 30 days for "remember me")
Security logs containing full IP addresses may be retained longer (typically 90 days) for fraud detection and security monitoring purposes, separate from session data. Session-specific device data is automatically deleted when the session ends and is not retained beyond the session lifetime (7 days for standard sessions, or 30 days for "remember me" sessions).
Third‑Party Cookies
We use Google Analytics on our public marketing pages to understand site usage
and improve content. These analytics cookies are not required to sign in and are
not used on the login or MFA endpoints. Typical GA cookies include _ga
and _ga_* (up to ~2 years), and _gid (~24 hours). Where
supported, we configure privacy‑enhancing settings (e.g., IP anonymization, reduced retention).
Cookie Consent
Our marketing pages display a cookie consent banner that allows you to accept or decline non-essential cookies (such as Google Analytics) before they are loaded. Essential authentication cookies used by the application do not require consent under the ePrivacy Directive, as they are strictly necessary for the Service to function.
In jurisdictions that require prior consent for analytics cookies (including the EEA and UK under the ePrivacy Directive), Google Analytics scripts are not loaded until you provide affirmative consent through the cookie banner. You can change your cookie preferences at any time by clicking the cookie settings link in the footer of our marketing pages.
Your Choices
Because these cookies are strictly necessary for authentication and security, blocking them in your browser will prevent you from logging in. You may delete cookies at any time via your browser settings; you will be asked to sign in again.
Security
Authentication cookies are issued over HTTPS with
Secure and HttpOnly flags and a restrictive
SameSite policy. CSRF protection applies
after authentication and uses a separate cookie paired
with an X‑CSRF‑Token header. The /login, Passkey, SSO,
and MFA verification endpoints do not require CSRF because
they are unauthenticated or use a one‑time, short‑lived MFA
flow. Cookie values are opaque and validated server‑side,
and session identifiers are rotated as appropriate (e.g.,
after MFA success).
Contact Us
Questions about this Cookie Policy? Contact support@itfolder.com.
Effective Date: August 29, 2025