August 9, 2025
2 min read
The duration of a web cookie is dictated by its expiration attribute, set by the issuing website’s server (“Set-Cookie” header) or through JavaScript. Session cookies persist only during an active browser session and are deleted upon closure (RFC 6265, Section 5.3). Persistent cookies, in contrast, have explicit expiration dates, potentially ranging from seconds to multiple years (Barth, 2011). In practice, the chosen lifespan reflects both technical requirements and privacy considerations.
Session cookies are essential for temporary state management, such as keeping users logged in or tracking navigation within a single visit. These are automatically removed when the browser process terminates (Roesner et al., 2012).
Persistent cookies enable long-term storage of user preferences and authentication tokens. These may remain in the browser’s storage until their expiration date or until manually deleted by the user. Empirical studies have reported persistent cookies with lifespans exceeding five years, often used for analytics or advertising purposes (Acar et al., 2014; Englehardt & Narayanan, 2016).
Privacy regulations do not mandate explicit limits on cookie duration. However, the EU ePrivacy Directive recommends periodic renewal of user consent for cookies, typically at least once per year (European Commission, 2002/58/EC; see also EDPB Guidelines 05/2020). Many organizations now set persistent cookie lifespans to twelve months or less to meet evolving compliance standards.
Users can manually delete cookies at any time via browser settings, overriding any preset expiration. Additionally, browsers like Safari and Firefox employ tracking prevention techniques that may further reduce cookie lifespans, sometimes limiting third-party cookies to 7 days or less (Mayer & Mitchell, 2012).
In summary:
