Legal center

Cookie and browser-storage policy

A code-based inventory of authentication cookies, local storage, session storage, and third-party scripts across the Hanami website and osu!guessr.

Effective date
July 18, 2026
Last updated
July 18, 2026

1. What this notice covers

Cookies are small values a site asks a browser to retain. This notice also covers local storage and session storage. Names below reflect the audited library defaults; local development omits secure prefixes, and large values can be split into numbered cookie chunks.

2. Hanami website cookies

NameProvider and purposeLifetimeStatus and attributes
__Secure-better-auth.session_tokenFirst-party Better Auth cookie used to identify the signed-in web session.Approximately 7 days by default; a session-only form can be used when “remember me” is disabled.Strictly necessary. HTTP-only, Secure in HTTPS production, SameSite=Lax, Path=/.
__Secure-better-auth.dont_rememberFirst-party Better Auth flag used only when a non-persistent session is requested.Browser session.Strictly necessary when used. HTTP-only, Secure in HTTPS production, SameSite=Lax, Path=/.

The current configuration does not enable Better Auth’s optional session-data cookie cache or account-data cookie. Hanami’s osu! linking state and bot-issued account links are stored server-side rather than in an OAuth-state cookie. Better Auth may use its server-side verification records during Discord sign-in.

Account deletion may require a new Discord OAuth round trip. It uses Better Auth’s existing necessary OAuth/session mechanisms plus a short-lived server-side challenge whose random browser value is removed from the address after the confirmation page reads it. The workflow does not add an analytics, advertising, or consent cookie.

3. osu!guessr cookies

NameProvider and purposeLifetimeStatus and attributes
__Secure-authjs.session-tokenFirst-party Auth.js encrypted session for osu! sign-in.Approximately 30 days by library default.Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/.
__Host-authjs.csrf-tokenFirst-party Auth.js cross-site-request-forgery protection.Browser session unless refreshed or cleared sooner.Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/.
__Secure-authjs.callback-urlFirst-party Auth.js return location used during sign-in.Browser session.Strictly necessary when set. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/.
__Secure-authjs.pkce.code_verifierFirst-party Auth.js proof-key value for the OAuth exchange.About 15 minutes.Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/.
__Secure-authjs.stateFirst-party Auth.js state value used to prevent OAuth request forgery.About 15 minutes.Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/.
__Secure-authjs.nonceFirst-party Auth.js replay-protection value when required by the provider flow.Browser session.Strictly necessary when set. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/.
localeFirst-party language preference written by osu!guessr.About 1 year.Functional. SameSite=Lax, Path=/; JavaScript-readable. Secure is not set explicitly in the audited code.

4. Other browser storage

KeyStoragePurposeDuration
app-configosu!guessr local storageGame, UI, API, audio, and performance preferences.Until cleared or overwritten.
localeosu!guessr local storageLanguage preference synchronized to the locale cookie.Until cleared or overwritten.
themeosu!guessr local storageTheme preference supplied by next-themes.Until cleared or overwritten.
osu-guessr:game-session:…osu!guessr session storageOpaque identifier used to recover the current game session.Normally the browser-tab session; cleared when the game ends.
osu-guessr:action-reload-attemptedosu!guessr session storagePrevents repeated reloads after a deployment/action mismatch.Browser-tab session.
hanami.account-deletion.challengeHanami website session storageShort-lived account-deletion reauthentication challenge copied from the callback fragment.Removed after confirmation or failure; otherwise the browser-tab session.

No application use of IndexedDB was found in the audited Hanami web or osu!guessr source. Apart from the deletion challenge above, no local or session storage use was found in the main Hanami website source.

5. Third-party scripts and content

Account views can request Discord or osu! avatar images. These requests disclose ordinary network metadata to the relevant host but do not require a Hanami consent cookie. The main website uses system fonts and does not request an external font stylesheet.

Both public sites are proxied through Cloudflare. Depending on the security and traffic features triggered for a request, Cloudflare may set strictly necessary cookies such as __cf_bm for bot protection or cf_clearance after a challenge. Cloudflare documents __cf_bm as expiring after 30 minutes of inactivity; challenge-cookie lifetime depends on the configured protection. See Cloudflare’s cookie documentation.

osu!guessr loads self-hosted Umami from umami.yorunoken.com for aggregate analytics. Umami does not set analytics cookies. Request and device information such as IP address and user agent may be processed to derive aggregate session and location metrics, while raw IP addresses are not intended to be stored.

No advertising script, tracking pixel, or third-party iframe is loaded by the audited application source.

6. Choices and consent

The main Hanami application defines authentication and security cookies only. Cloudflare’s conditional edge-security cookies are described above. Users can decline the application cookies by not signing in, or clear them by signing out and using browser controls; authentication will not work without the session cookie.

osu!guessr’s self-hosted Umami script is non-essential and loads after the production page starts. Blocking it prevents aggregate analytics but should not prevent the core game from working. Browser controls or content blockers can stop the request; Umami does not use an analytics cookie to recognize the browser.

7. Questions about cookies and storage

Contact [email protected] with questions about cookies, browser storage, or related privacy controls.