Application Security Terminology

Glossary

Persistent Session Cookie

There are two types of cookies: session cookies and persistent cookies. Web browsers normally delete session cookies when the user closes the browser. Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.

When a session cookie whose values contain sensitive data doesn’t expire with the session, it becomes a Persistent Session Cookie, introducing a security risk. 

Instead of expiring when the web browser is closed as session cookies do, a Persistent Session Cookie expires at a specific date or after a specific length of time. This means that, for the cookie's entire lifespan (which can be as long or as short as its creators want), its information will be transmitted to the server every time the user visits the website that it belongs to, or every time the user views a resource belonging to that website from another website (such as an advertisement).