What are Session Cookies?

In order to un­der­stand what session cookies are, it’s a good idea to gain a fun­da­men­tal un­der­stand­ing of IT cookies. A cookie is a piece of data that is placed on your computer when you’re browsing the internet. These text files are au­to­mat­i­cal­ly created by browsers and websites. They contain personal user in­for­ma­tion and enable more user-friendly surfing.

But how exactly do session cookies or cookies, in general, improve the web surfing ex­pe­ri­ence? The small text files that are stored when you first visit a website are rec­og­nized by these websites. A website therefore remembers certain settings such as login data, selected language or other personal in­for­ma­tion. Without cookies, users would need to configure their preferred settings each time they access a website.

What types of cookies exist? Many websites use per­sis­tent cookies that are saved on a device for months or years. These can only be removed when they are manually deleted. If you’re using a public computer, it’s a good idea to delete your cookies after each use. Session cookies, on the other hand, are deleted when you shut down a session, i.e. close a browser. They’re au­to­mat­i­cal­ly deleted as soon as a tab or page is closed. Thus, session cookies are not of great risk to users compared to per­sis­tent cookies.

How are sessions defined? A session starts as soon as you launch a website or web app. This can include the time between login and logoff. The server creates a “session ID” which is shared with the client. The ID or session iden­ti­fi­er is a randomly generated number which tem­porar­i­ly stores the session cookie. It is used to assign a session to an in­di­vid­ual user. The session iden­ti­fi­er has one major advantage: when multiple tabs belonging to the same website are opened, they’re assigned to a single session. In this way, multiple inquiries can be launched without losing important personal in­for­ma­tion.

Session cookies, in other words, deposit in­for­ma­tion on a current session. If, for example, you’re adding multiple products to a basket online, they will remain in place until the session has been ter­mi­nat­ed. Al­ter­na­tive in­for­ma­tion such as login data or already filled-out online forms remain intact during the session. When a session is ended, all iden­ti­fiers and data are deleted. When a website is re­launched, the browser will thus recognize the same user as a new user.

Websites don’t have a memory, which is why they use session cookies to remember a user for a re­strict­ed period of time. These cookies are vital for an improved user ex­pe­ri­ence in online shops and websites. After all, web shop func­tion­al­i­ties depend on customer ac­tiv­i­ties. As a shopper navigates from web page to web page, cookies save their in­for­ma­tion. Payment pro­cess­ing and order con­fir­ma­tions use cookies to work on eCommerce websites.

It’s worth bearing in mind that even before you log in to a web shop, a session cookie is generated. This means that an anonymous shopper can add products to a virtual basket without having to log in. Only when they checkout, they need to register or enter their name, address, and payment methods. An anonymous session thus becomes a per­son­al­ized one. If a user does not end such a session, it will usually expire after a certain amount of time.

While session cookies are only used to fa­cil­i­tate the use of websites, per­sis­tent cookies have ad­di­tion­al functions. These follow the surf per­for­mance of users and enable companies to un­der­stand their customers better. Per­sis­tent cookies capture which products a customer has viewed during their session. This allows retailers to identify buying interest and retarget their adverts as part of their online marketing strate­gies. With per­sis­tent cookies, user data can be saved even after a browser is closed and users won’t need to enter their details again during their next visit.

Most per­sis­tent cookies are first-party cookies. A special feature of these text files is that they can only be selected by web operators them­selves. In­for­ma­tion from these cookies are used for sta­tis­ti­cal purposes and to create a more pleasant shopping ex­pe­ri­ence for the in­di­vid­ual consumer. The storage of such cookies is un­prob­lem­at­ic unless a person uses a public computer. For security reasons, in­di­vid­u­als should never save their passwords or login data, and clear their cookies when using public computers.

Besides first-party cookies, there are also third-party cookies. Data pro­tec­tion spe­cial­ists consider third-party cookies to be rel­a­tive­ly prob­lem­at­ic. Ad­ver­tis­ers often use cookies in ad­ver­tis­ing banners to place them on websites. Third-party cookies provide an overview of the search behaviors of in­di­vid­u­als which allow companies to create exact user profiles and target per­son­al­ized online adverts. To avoid such per­son­al­ized adverts, many users now de­ac­ti­vate cookies in their browsers.

It’s also possible to de­ac­ti­vate session cookies in browsers – at least for certain sessions. However, you will need to re­ac­ti­vate them if you do require them again. Compared to other cookie types, the use of session cookies is not always optional. With in­di­vid­ual session data, web servers would not be able to separate in­di­vid­ual users from one another. That means that certain web areas or functions may not be usable if session cookies are de­ac­ti­vat­ed.

The European General Data Pro­tec­tion Reg­u­la­tion (GDRP) which took effect in May 2018 enforced new rules on cookie use. Website owners are now obligated to inform users about the storage of their data. In­di­vid­u­als need to ex­plic­it­ly consent to the use of tracking cookies. However, the same does not apply to session cookies because without them the function of web pages would be seriously impaired. Session cookies are likely also going to be an exception in the ePrivacy reg­u­la­tions to be im­ple­ment­ed by the end of 2023.