Header and Cookie Dictionary

Posit Workbench relies on non-standard HTTP headers and browser cookies to pass and store information for several product features. Customers using external proxy services may restrict which headers and cookies pass through their proxy, and when doing so should allow the following headers and cookies to pass through to prevent unexpected results and failures.

Headers

Header Usage
X-CSRF-Token CSRF attack prevention when running or upgrading from 2022.09 and earlier releases
X-Postback-ExitCode R processing
X-RS-CSRF-Token CSRF attack prevention
X-RS-Distributed-Event-Checksum Communication between nodes in a load balanced environment
X-RS-Distributed-Event-Timestamp Communication between nodes in a load balanced environment
X-RS-Launcher-Secret Inter-process communication with the Job Launcher
X-RS-Monitor-Shared-Secret Inter-process authentication
X-RS-Session-Server-RPC-Cookie Inter-process authentication
X-RS-Session-Server-RPC-Secret Inter-process authentication
X-RStudio-Admin-LoginAsUser Admin dashboard management
X-RStudio-Admin-Username Admin dashboard management
X-RStudio-Base-Address Session management
X-RStudio-Refresh-Auth-Creds Authentication
X-RStudio-Session-Required Session management in load balanced environments
X-RStudio-Session-Original-Uri Session management
X-RStudio-Virtual-Path Managing multiple sessions

Cookies

Cookie Usage
csrf-token CSRF attack prevention - only required when running or upgrading from 2022.09 and earlier releases
persist-auth Authentication
port-token CSRF attack prevention
rs-base-address Session management
rs-csrf-token CSRF attack prevention
session-host-route Session management in load balanced environments
user-id Authentication
user-list-id Authentication with named user licensing
Note

When www-same-site=none is set in rserver.conf, Posit Workbench emits each cookie alongside an additional cookie containing a -legacy suffix. See Same site cookies for details.