Session Cookies vs Persistent Cookies: The Difference, Explained Simply

Session cookies vanish when you close your browser. Persistent cookies carry an expiry date and stay. See the exact test, the consent split, and the risks.


by Riad Us Salehin • 3 July 2026


A session cookie lasts only until you close your browser, because it has no expiry date and lives in memory. A persistent cookie carries a set expiry date and stays on your device across visits. The difference is lifespan, and it decides whether the cookie needs consent.

Session Cookies vs Persistent Cookies: The Short Answer

The only fundamental difference is how long the cookie survives. Everything else follows from that one fact.

  • Lifespan: a session cookie dies when the browser session ends; a persistent cookie survives until its set expiry date.
  • Storage location: session cookies sit in the browser's memory; persistent cookies write to the device's storage.
  • What triggers deletion: closing the browser deletes a session cookie; only its expiry date, or a manual clear, deletes a persistent cookie.

What Is a Session Cookie?

A session cookie is a temporary cookie with no Max-Age or Expires attribute. It stores in the browser's memory, remembers you for a single visit, and disappears when the session ends. MDN Web Docs defines it exactly this way: cookies without a Max-Age or Expires attribute are deleted when the current session ends.

HTTP itself has no memory. Each page request arrives at the server as if it were the first. A session cookie bridges that gap. The server generates a session ID and sends it to your browser as a cookie. Your browser returns that same ID on every request, so the server recognizes you as the same visitor.

Because the cookie never touches the disk, it also goes by other names. Wikipedia lists it as an "in-memory cookie, transient cookie, or non-persistent cookie." All three point to the same mechanism: no expiry attribute, memory-only storage.

Common session-cookie examples:

  • Staying logged in while you browse a single visit
  • Keeping items in a shopping cart as you move between product pages
  • Carrying form data through a multi-step checkout
  • Maintaining a live chat conversation across page loads

What Is a Persistent Cookie?

A persistent cookie, also called a permanent cookie, carries a set expiry date through the Expires or Max-Age attribute. It writes to the device's storage and survives browser closes and restarts until it expires or you delete it. That expiry can be set for weeks, months, or even years, depending on how the site programs it.

Because that expiry date is baked into the cookie itself, the browser has no reason to delete it early. It sits on the hard drive until the clock runs out or a person clears it manually.

That durability is what makes persistent cookies useful across more than one visit: they remember who you are and what you prefer. Persistent cookies are also the vehicle most third-party tracking runs on. Source, not duration, is a separate axis, covered in first-party and third-party cookies.

Common persistent-cookie examples:

  • A "Remember Me" login that keeps you signed in across visits
  • Saved language or region settings
  • A stored dark-mode or theme preference
  • Analytics and ad-measurement cookies that track behavior over time, such as Google Analytics

Lifespan varies by design, sometimes hours, sometimes years. The full range, and how sites set it, is covered in how long a cookie lasts.

Session vs Persistent Cookies: Side-by-Side Comparison

The two types diverge on eight practical points, not just lifespan.

AttributeSession CookiePersistent Cookie
LifespanEnds when the browser session closesSet expiry date; days to years
Expiry attributeNone (no Max-Age or Expires)Has Max-Age or Expires
Where it's storedBrowser memoryDevice storage (hard drive)
Deleted whenBrowser or tab closesExpiry date passes, or manual clear
Survives a restart?Usually no (session restoring is the exception)Yes
Typical purposeSingle-visit continuityCross-visit memory
Consent under GDPRUsually exempt if strictly necessaryUsually needs consent
Security exposureShort-lived but still hijackableLonger-lived; risky if it holds sensitive data

The Real Difference Is the Expiry Date (Max-Age and Expires)

One attribute decides everything: does the Set-Cookie header carry a Max-Age or Expires value?

If neither attribute is present, the browser treats the cookie as a session cookie and clears it when the session ends. If either attribute is present, the cookie becomes persistent and lives until that date or duration passes. MDN shows both forms directly:

`` Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT; Set-Cookie: id=a3fWa; Max-Age=2592000 ``

Expires sets a fixed calendar date. Max-Age sets a duration in seconds from the moment the cookie is set (2,592,000 seconds equals 30 days). If a Set-Cookie header includes both, the specification treats Max-Age as the one that wins. This single-attribute test, defined in RFC 6265, is the precise mechanism most privacy explainers skip in favor of vaguer "it just expires" language.

"Why Am I Still Logged In After Closing My Browser?"

A session cookie is supposed to die the moment you close your browser, but modern browsers often keep you logged in anyway.

The cause is usually "session restoring." Chrome, Edge, and Firefox can reopen your previous tabs on restart. MDN documents the side effect directly: "some browsers use session restoring when restarting. This can cause session cookies to last indefinitely." The browser never truly ended the session. It just reopened the same one.

The other cause is simpler: you were never logged in through a session cookie at all. Many "stay logged in" experiences run on a separate persistent "Remember Me" cookie, not the session cookie. Closing your browser and reopening the site can trigger either mechanism, and the two look identical from the login screen.

Do Session and Persistent Cookies Need Consent?

Session cookies that are strictly necessary are usually exempt from prior consent; persistent cookies used for tracking or preferences usually need it.

Cookies classed as strictly necessary, such as login, cart, security, or load-balancing cookies, are generally exempt from prior cookie consent. This exemption comes from the ePrivacy Directive and GDPR. The site must still disclose these cookies in its cookie banner. Exemption from consent is not exemption from disclosure: even a strictly necessary session cookie has to be named in your banner.

Persistent cookies used for analytics, advertising, or "Remember Me" logins usually fail the strictly-necessary test. They are not required for the site to function; they add convenience or track behavior instead. A persistent cookie that tracks behavior needs consent before it is stored. A persistent login cookie sits in the same bucket. It is convenience, not necessity, so the ePrivacy strictly-necessary exemption does not extend to it. CCPA and CPRA in the US run on an opt-out model instead of opt-in, a different framework worth knowing but outside this page's scope. This explains the general pattern, not your specific legal obligations.

Categories like "strictly necessary" are one part of a broader classification system. See how cookies are categorized for the full breakdown, and cookie compliance for what compliant handling looks like end to end.

Are Session Cookies a Security Risk? (Session Hijacking)

Session cookies carry less privacy risk than persistent cookies, but they are a live security target.

If someone steals a session cookie, through cross-site scripting, infostealer malware, or network interception, they can impersonate you without your password. They can even bypass multi-factor authentication. This is session hijacking: the stolen cookie IS the credential once you're authenticated. It is an active, current threat, not a theoretical one. Security researchers reported new infostealer campaigns targeting Chrome session cookies as recently as June 2026. Chrome responded by shipping Device-Bound Session Credentials to general availability that same year, specifically to make stolen session cookies harder to reuse.

Persistent cookies carry a different risk. Because they sit on the device's hard drive, CWE-539 warns against storing sensitive information in them. Anything written to disk is exposed for as long as the cookie lives, which can be years. The mitigation for both cookie types includes the HttpOnly, Secure, and SameSite flags, which block script access and unencrypted transmission. Implementing them is a developer task, not a one-sentence fix.

Session Cookie vs Session: Not the Same Thing

A "session" and a "session cookie" are different things. The session is server-side data; the session cookie is just the ID that points to it.

A session, in the server-side sense, is where the actual data about your visit lives: on the web server. The server keeps the data; your browser keeps only the session ID that points to it. The session cookie carries almost nothing meaningful. It is just a random lookup token.

Where the data livesWhat it holds
Browser (session cookie)A random session ID, no meaningful content
Server (the session)The actual data: cart contents, login state, form progress

So "cookie vs session" really asks where the data is stored. The cookie holds the pointer; the server holds the substance.

How Consently Sorts Session and Persistent Cookies for You

Consently's scanner detects every cookie on your site and sorts it by consent category: essential, analytics, advertising, and more. It then blocks the non-essential ones automatically until a visitor consents.

You do not have to read Set-Cookie headers by hand to know what is running on your site. Consently crawls your site on install, detects all cookies, and updates the banner categories automatically. Every cookie gets sorted by purpose. Each cookie's expiration is visible in the Cookie Manager. Check it anytime to confirm whether a specific cookie is session or persistent.

Two features do the heavy lifting. Auto Scanning ("We find every cookie, so you don't have to!") finds every cookie, tracker, script, and iframe on your site without manual auditing. Cookie categorization with auto-blocking keeps non-essential cookies, most of the persistent, tracking kind, from loading until a visitor consents.

That split mirrors the GDPR distinction above: strictly necessary cookies keep your site working while non-essential ones wait for a yes. Try Consently Free to scan your own site and see the split for yourself.

FAQs

What is the difference between a session cookie and a persistent cookie?

A session cookie has no expiry date and is deleted when you close your browser. A persistent cookie has a set expiry date and stays on your device until it expires or you clear it manually.

Is a session cookie a persistent cookie?

No. They sit on opposite ends of the same duration axis. A session cookie has no expiry attribute and dies with the browser session; a persistent cookie has one and survives across sessions.

What is an example of a persistent cookie?

A "Remember Me" login cookie, a saved language or region preference, and a Google Analytics tracking cookie are all persistent cookies. Each carries an expiry date and survives across visits.

How long does a persistent cookie last?

However long the site's Expires or Max-Age value sets it for, ranging from a few hours to several years. It stays until that date passes or someone deletes it manually.

Are session cookies safe?

They carry low privacy risk since they rarely hold long-term data, but they are a security target. If a session cookie is stolen through hijacking, an attacker can impersonate you without your password.

Do session cookies need consent under GDPR?

Usually not, if the cookie is strictly necessary, such as login or cart functionality, though it must still be disclosed in the cookie banner. Persistent tracking or preference cookies typically do need consent.

Where are session cookies stored?

In the browser's temporary memory, never written to the device's hard drive. That's why they disappear when the browser closes.

How do I delete persistent cookies?

Clear your browsing data through your browser's settings; persistent cookies stay until you do this or their expiry date passes. Session cookies clear automatically when you close the browser. See how to delete cookies for the exact steps per browser.

What is a non-persistent cookie?

Another name for a session cookie. Wikipedia lists "non-persistent cookie" alongside "in-memory cookie" and "transient cookie" as synonyms for the same memory-only, no-expiry cookie type.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.