Strongbox Newtons: in-URL session IDs and wildcard domain

What is a Newton?

Is the in-URL Session ID used in Strongbox protected websites.

How is it shown to my users?

When your users login to your site, they may notice that the members’ area URL no longer shows as


but rather as something like


The hostname portion of the address contains what we call a “newton”. The newton contains the Strongbox session ID which always starts with the letters “sb”.

Why is it called Newton?

We made up that name, our historical documentation says “It’s used like a cookie, but it’s not a cookie, so it’s a newton :~)”

Can I disable them?

Yes, we recommend to disable Newtons (setting the configuration variable cookies_only to 1) when you are using software that don’t behaive correctly when accesing your site with a random subdomain, like some WordPress Plugins that use AJAX calls or you’re Moving To A New Server.

We have a couple of custom WordPress plugins for Strongbox protected websites with WordPress installed in the members area, but

If you do so, your users will be required to accept cookies.

Look, for cookies_only in


Are URLs with Newtons shareable?

No. In order to access your site, the user’s session ID from the newton:

  • must be a valid ID
  • must not have expired
  • and it must match their system fingerprint.

In order to avoid having people share their session ID, Strongbox records a system fingerprint when they login which includes their OS version, browser version, and other information like whether or not they have Word or Excel installed.

How internal links in my site are affected?

Newtons are the reason you can’t use fully qualified URLs in links within your members area. If the link took them to “YOURSITE.EXAMPLE.COM” (without the “sb” subdomain), they would lose their newton and not be able to access the site.

This is the reason why you may need to setup the Wildcard domain. See more at Strongbox Requirements