- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Persistent Cookies are stored on a user’s device to help remember information, settings, preferences, or sign-on credentials that a user has previously saved. This helps create a convenient and faster website experience. These cookies have an expiration date issued to it by the webserver. Basically, this type of cookie is saved on your computer so when you close it and start it up again, the cookie is still there. Once the expiration date is reached, it is destroyed by the owner.
There are two types of cookies: session cookies and persistent cookies. Web browsers normally delete session cookies when the user closes the browser. Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.
When a session cookie whose values contain sensitive data doesn’t expire with the session, it becomes a Persistent Session Cookie, introducing a security risk.
Instead of expiring when the web browser is closed as session cookies do, a Persistent Session Cookie expires at a specific date or after a specific length of time. This means that, for the cookie's entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).