Website cookies (not the edible kind) last from a single browsing session to a browser-capped maximum of about 400 days. The determining factor is whether a cookie is session or persistent: session cookies vanish on browser close, and persistent cookies carry an explicit expiration date.
Below: the short answer, why session and persistent cookies differ, and how the Expires and Max-Age attributes set duration. Then typical lifespans by cookie type, the browser caps that override any site's request, and how long cookie consent stays valid.
How Long Do Cookies Last? (The Short Answer)
A session cookie lasts until you close your browser. A persistent cookie lasts until the date the site set, capped at about 400 days in Chrome.
The single biggest factor is whether a cookie is a session cookie or a persistent cookie. A session cookie carries no expiration date at all: it exists only for the current browsing session and disappears when the browser closes. A persistent cookie carries an explicit expiration date or a countdown in seconds, and it survives across browser restarts until that countdown ends.
Why the range is so wide comes down to purpose. A login check might need a five-minute window before it times out. A "remember me" cookie needs months. An advertising cookie wants a year or more to build a durable profile. The purpose sets the requested duration; the browser then decides whether to honor it.
Session Cookies vs Persistent Cookies: Why Lifespan Differs
A session cookie has no Expires or Max-Age attribute, so it dies when the session ends. A persistent cookie has one of those attributes, so it survives until that date.
| Type | Has Expires or Max-Age? | Deleted when |
|---|---|---|
| Session cookie | No | The browsing session ends (browser closes) |
| Persistent cookie | Yes | The set expiration date arrives, or you clear it manually |
For the full technical and legal distinction between the two types, see session and persistent cookies explained in depth.
Session cookies come with one surprising exception. A session cookie is supposed to die the moment you close the browser, but modern browsers can restore your previous tabs on restart. That restore feature can keep the session alive across restarts. This session-restore behavior, not a broken cookie, explains most "I closed my browser and I'm still logged in" reports.
How Cookie Expiration Works: the Expires and Max-Age Attributes
A website sets a cookie's lifespan using one of two attributes on the Set-Cookie header: Expires or Max-Age.
Expires sets an absolute date and time. The browser reads it against the visitor's device clock.
`` Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2027 07:28:00 GMT; ``
Max-Age sets a countdown in seconds from the moment the cookie is set:
`` Set-Cookie: id=a3fWa; Max-Age=2592000 ``
That example's 2,592,000 seconds equals 30 days. Max-Age wins when both attributes appear on the same cookie, per MDN's HTTP cookies guide. Max-Age is also less error-prone, since it does not depend on the visitor's device clock being correct.
A cookie with neither attribute is a session cookie by definition. To delete a cookie immediately, a site resets it with the same name and either a past Expires date or Max-Age=0.
`` Set-Cookie: id=a3fWa; Max-Age=0 ``
Typical Cookie Lifespans by Type
Cookie lifespans range from a single browsing session to about 400 days. The cookie's purpose predicts roughly where in that range it falls. The named durations below come from Google's own cookie documentation.
| Cookie type or purpose | Typical lifespan | Real-world example |
|---|---|---|
| Session or login-state cookie | The browsing session only | No name; expires on browser close |
| Server session timeout | Minutes | A 5-minute inactivity timeout |
| Authentication "Remember Me" | Days to months | Varies by site implementation |
| Preferences | 6 months | Google's NID cookie |
| Consent-record cookie | 6 months to 1 year | A CMP's consent-log cookie category |
| Analytics | 2 years (capped to 400 days in Chrome) | Google Analytics' _ga cookie |
| Advertising or tracking | 13 months | Google's _gads and __Secure-ENID cookies |
| Ad retargeting | 2 weeks | Google's DSID cookie |
| Third-party tracking under Safari | As little as 7 days | Any script-set cross-site tracking cookie |
First-party cookies generally outlive third-party ones. Browsers now cap third-party and tracking cookies far more aggressively. Cross-site tracking is the behavior privacy rules and browser vendors target hardest.
If you want a plain-language refresher on what a cookie is before comparing durations, read the full explainer.
Browsers Cap Cookie Lifespans (Chrome 400 Days, Safari ITP)
No matter what expiration date a site requests, the browser can shorten it. Chrome caps every cookie at 400 days; Safari can cut some tracking cookies to 7 days.
Chrome introduced its cap in version M104 (August 2022), documented on Chrome for Developers. Any cookie that requests an expiration further than 400 days out is not rejected. Chrome simply resets its expiration to exactly 400 days from when it was set. Chrome's own engineering team picked 400 days as a figure a bit over 13 months. That keeps a cookie alive for a site the visitor returns to once a year.
Safari applies a stricter rule through Intelligent Tracking Prevention (ITP). ITP deletes any cookie created through JavaScript (document.cookie) after 7 days of no interaction with that site. Cookies set on a page reached via a link decorated with tracking parameters get cut further, to 24 hours. Firefox and Edge currently allow durations closer to Chrome's 400-day limit, though both browsers actively restrict third-party tracking cookies through their own protections.
The pattern across every major browser is the same: first-party cookies get the longest leash, and third-party tracking cookies get cut first and hardest.
How Long Should Cookie Consent Last? The 13-Month Rule
A cookie's technical expiry, a visitor's consent, and your data retention window are three separate clocks, and most sites conflate all three.
The three clocks:
- Cookie expiry: set by Expires or Max-Age, capped by the browser (400 days in Chrome, 7 days for some Safari cookies).
- Consent validity: how long a visitor's accept or reject choice stays valid before you must ask again.
- Data retention: how long you may keep the data those cookies collected, separate from the cookie file itself.
Regulators focus mainly on the second and third clocks. France's data protection authority, CNIL, recommends limiting the lifetime of measurement and tracking cookies to 13 months. The ePrivacy Directive points site owners toward renewing consent at least once a year. Some national data protection authorities recommend renewal windows as short as 6 months. The UK's ICO frames the standard more loosely: keep cookies and the data behind them no longer than necessary for the stated purpose.
Data retention is a separate, typically longer, clock from either the cookie's technical expiry or the consent-renewal window. Treat it as its own decision when you draft a retention policy, not a number that automatically matches your cookie's Max-Age.
Cookie consent validity and cookie lifespan are two different questions with two different answers, and treating them as one is a common cookie compliance mistake.
How to Check and Delete Cookies and Their Expiry
To see a cookie's real expiration date in Chrome or Edge, open DevTools, then Application, then Cookies under Storage.
Each row lists that cookie's name, value, and exact expiration date. You can also click the site-info icon just before the address bar to view a shorter summary of stored cookies. Firefox and Safari include equivalent storage inspectors under their own developer tools.
Clearing browsing data removes cookies, which logs you out of most sites and resets any saved preferences. You can also delete cookies for a single site instead of your whole browser. Deleting a cookie does not stop the site from setting a fresh one on your next visit; only blocking or consent settings prevent that.
How Consently Helps You Track and Declare Cookie Lifespans
Consently does not control how long a third-party cookie lasts, but it finds every cookie your site sets and records how long each one lives.
Consently's automatic cookie scanning detects every cookie, tracker, script, and iframe running on your site. It lets you record each cookie's vendor, expiration data, description, and category. Instead of guessing whether a tag sets a 90-day cookie or a 2-year one, you get the actual scan result.
The Cookie Policy Generator turns that scan into a cookie policy listing each cookie's purpose and duration. Your published policy then matches what your site actually does. Consently's consent banner and scanner work together: the banner collects the choice, and the scan data backs up what you declare.
Consent logs record the timestamp and choice behind every visitor's consent. The floating revisit button lets visitors reopen their preferences to withdraw or change consent, useful whenever a regulator's renewal guidance applies to your site.
Scan your cookies free and see every cookie's real expiration data before you write another cookie policy by hand.
FAQs
How long do cookies last on a website?
Website cookies last from one browsing session (session cookies) to a browser-capped maximum of about 400 days (persistent cookies), depending on type.
Do cookies expire automatically?
Yes. Persistent cookies expire on the Expires or Max-Age date the site set, or sooner if the browser caps it. Session cookies expire when the browsing session ends.
How long do session cookies last?
Only for the current browsing session. They are deleted when you close the browser, though browser session-restore features can keep some alive across restarts.
What is the maximum cookie lifespan?
About 400 days in Chrome and browsers that align with it. Chrome clamps any longer requested expiration down to 400 days rather than rejecting the cookie. Safari's Intelligent Tracking Prevention can cut some script-set tracking cookies to 7 days.
How long do Google Analytics cookies last?
Google's main Analytics cookie, _ga, is set to last 2 years, though Chrome's 400-day cap shortens its actual lifespan in that browser.
How long is cookie consent valid for?
There is no single global limit. France's CNIL recommends capping tracker lifetimes at 13 months, and some data protection authorities suggest renewing consent as often as every 6 months.
Do cookies get deleted when I close my browser?
Only session cookies are meant to be. Persistent cookies stay until their expiration date or until you clear them, and browser session-restore features can preserve even session cookies across a restart.

