1. What this notice covers
Cookies are small values a site asks a browser to retain. This notice also covers local storage and session storage. Names below reflect the audited library defaults; local development omits secure prefixes, and large values can be split into numbered cookie chunks.
2. Hanami website cookies
| Name | Provider and purpose | Lifetime | Status and attributes |
|---|---|---|---|
__Secure-better-auth.session_token | First-party Better Auth cookie used to identify the signed-in web session. | Approximately 7 days by default; a session-only form can be used when “remember me” is disabled. | Strictly necessary. HTTP-only, Secure in HTTPS production, SameSite=Lax, Path=/. |
__Secure-better-auth.dont_remember | First-party Better Auth flag used only when a non-persistent session is requested. | Browser session. | Strictly necessary when used. HTTP-only, Secure in HTTPS production, SameSite=Lax, Path=/. |
The current configuration does not enable Better Auth’s optional session-data cookie cache or account-data cookie. Hanami’s osu! linking state and bot-issued account links are stored server-side rather than in an OAuth-state cookie. Better Auth may use its server-side verification records during Discord sign-in.
Account deletion may require a new Discord OAuth round trip. It uses Better Auth’s existing necessary OAuth/session mechanisms plus a short-lived server-side challenge whose random browser value is removed from the address after the confirmation page reads it. The workflow does not add an analytics, advertising, or consent cookie.
3. osu!guessr cookies
| Name | Provider and purpose | Lifetime | Status and attributes |
|---|---|---|---|
__Secure-authjs.session-token | First-party Auth.js encrypted session for osu! sign-in. | Approximately 30 days by library default. | Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/. |
__Host-authjs.csrf-token | First-party Auth.js cross-site-request-forgery protection. | Browser session unless refreshed or cleared sooner. | Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/. |
__Secure-authjs.callback-url | First-party Auth.js return location used during sign-in. | Browser session. | Strictly necessary when set. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/. |
__Secure-authjs.pkce.code_verifier | First-party Auth.js proof-key value for the OAuth exchange. | About 15 minutes. | Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/. |
__Secure-authjs.state | First-party Auth.js state value used to prevent OAuth request forgery. | About 15 minutes. | Strictly necessary. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/. |
__Secure-authjs.nonce | First-party Auth.js replay-protection value when required by the provider flow. | Browser session. | Strictly necessary when set. HTTP-only, Secure on HTTPS, SameSite=Lax, Path=/. |
locale | First-party language preference written by osu!guessr. | About 1 year. | Functional. SameSite=Lax, Path=/; JavaScript-readable. Secure is not set explicitly in the audited code. |
4. Other browser storage
| Key | Storage | Purpose | Duration |
|---|---|---|---|
app-config | osu!guessr local storage | Game, UI, API, audio, and performance preferences. | Until cleared or overwritten. |
locale | osu!guessr local storage | Language preference synchronized to the locale cookie. | Until cleared or overwritten. |
theme | osu!guessr local storage | Theme preference supplied by next-themes. | Until cleared or overwritten. |
osu-guessr:game-session:… | osu!guessr session storage | Opaque identifier used to recover the current game session. | Normally the browser-tab session; cleared when the game ends. |
osu-guessr:action-reload-attempted | osu!guessr session storage | Prevents repeated reloads after a deployment/action mismatch. | Browser-tab session. |
hanami.account-deletion.challenge | Hanami website session storage | Short-lived account-deletion reauthentication challenge copied from the callback fragment. | Removed after confirmation or failure; otherwise the browser-tab session. |
No application use of IndexedDB was found in the audited Hanami web or osu!guessr source. Apart from the deletion challenge above, no local or session storage use was found in the main Hanami website source.
5. Third-party scripts and content
Account views can request Discord or osu! avatar images. These requests disclose ordinary network metadata to the relevant host but do not require a Hanami consent cookie. The main website uses system fonts and does not request an external font stylesheet.
Both public sites are proxied through Cloudflare. Depending on the security and traffic features triggered for a request, Cloudflare may set strictly necessary cookies such as __cf_bm for bot protection or cf_clearance after a challenge. Cloudflare documents __cf_bm as expiring after 30 minutes of inactivity; challenge-cookie lifetime depends on the configured protection. See Cloudflare’s cookie documentation.
osu!guessr loads self-hosted Umami from umami.yorunoken.com for aggregate analytics. Umami does not set analytics cookies. Request and device information such as IP address and user agent may be processed to derive aggregate session and location metrics, while raw IP addresses are not intended to be stored.
No advertising script, tracking pixel, or third-party iframe is loaded by the audited application source.
6. Choices and consent
The main Hanami application defines authentication and security cookies only. Cloudflare’s conditional edge-security cookies are described above. Users can decline the application cookies by not signing in, or clear them by signing out and using browser controls; authentication will not work without the session cookie.
osu!guessr’s self-hosted Umami script is non-essential and loads after the production page starts. Blocking it prevents aggregate analytics but should not prevent the core game from working. Browser controls or content blockers can stop the request; Umami does not use an analytics cookie to recognize the browser.
7. Questions about cookies and storage
Contact [email protected] with questions about cookies, browser storage, or related privacy controls.