What are Session Cookies?
In order to understand what session cookies are, it’s a good idea to gain a fundamental understanding of IT cookies. A cookie is a piece of data that is placed on your computer when you’re browsing the internet. These text files are automatically created by browsers and websites. They contain personal user information and enable more user-friendly surfing.
Use and risks of cookies
But how exactly do session cookies or cookies, in general, improve the web surfing experience? The small text files that are stored when you first visit a website are recognised by these websites. A website therefore remembers certain settings such as login data, selected language or other personal information. Without cookies, users would need to configure their preferred settings each time they access a website.
What types of cookies exist? Many websites use persistent cookies that are saved on a device for months or years. These can only be removed when they are manually deleted. If you’re using a public computer, it’s a good idea to delete your cookies after each use. Session cookies, on the other hand, are deleted when you shut down a session, i.e. close a browser. They’re automatically deleted as soon as a tab or page is closed. Thus, session cookies are not of great risk to users compared to persistent cookies.
How do session cookies work?
How are sessions defined? A session starts as soon as you launch a website or web app. This can include the time between login and logoff. The server creates a “session ID” which is shared with the client. The ID or session identifier is a randomly generated number which temporarily stores the session cookie. It is used to assign a session to an individual user. The session identifier has one major advantage: when multiple tabs belonging to the same website are opened, they’re assigned to a single session. In this way, multiple inquiries can be launched without losing important personal information.
Session cookies, in other words, deposit information on a current session. If, for example, you’re adding multiple products to a basket online, they will remain in place until the session has been terminated. Alternative information such as login data or already filled-out online forms remain intact during the session. When a session is ended, all identifiers and data are deleted. When a website is relaunched, the browser will thus recognise the same user as a new user.
When are session cookies used?
Websites don’t have a memory, which is why they use session cookies to remember a user for a restricted period of time. These cookies are vital for an improved user experience in online shops and websites. After all, web shop functionalities depend on customer activities. As a shopper navigates from web page to web page, cookies save their information. Payment processing and order confirmations use cookies to work on eCommerce websites.
It’s worth bearing in mind that even before you log in to a web shop, a session cookie is generated. This means that an anonymous shopper can add products to a virtual basket without having to log in. Only when they checkout, they need to register or enter their name, address, and payment methods. An anonymous session thus becomes a personalised one. If a user does not end such a session, it will usually expire after a certain amount of time.
Differences to other cookies
While session cookies are only used to facilitate the use of websites, persistent cookies have additional functions. These follow the surf performance of users and enable companies to understand their customers better. Persistent cookies capture which products a customer has viewed during their session. This allows retailers to identify buying interest and retarget their adverts as part of their online marketing strategies. With persistent cookies, user data can be saved even after a browser is closed and users won’t need to enter their details again during their next visit.
Most persistent cookies are first-party cookies. A special feature of these text files is that they can only be selected by web operators themselves. Information from these cookies are used for statistical purposes and to create a more pleasant shopping experience for the individual consumer. The storage of such cookies is unproblematic unless a person uses a public computer. For security reasons, individuals should never save their passwords or login data, and clear their cookies when using public computers.
Besides first-party cookies, there are also third-party cookies. Data protection specialists consider third-party cookies to be relatively problematic. Advertisers often use cookies in advertising banners to place them on websites. Third-party cookies provide an overview of the search behaviours of individuals which allow companies to create exact user profiles and target personalised online adverts. To avoid such personalised adverts, many users now deactivate cookies in their browsers.
It’s also possible to deactivate session cookies in browsers – at least for certain sessions. However, you will need to reactivate them if you do require them again. Compared to other cookie types, the use of session cookies is not always optional. With individual session data, web servers would not be able to separate individual users from one another. That means that certain web areas or functions may not be usable if session cookies are deactivated.
GDPR: session cookies are an exception
The European General Data Protection Regulation (GDRP) which took effect in May 2018 enforced new rules on cookie use. Website owners are now obligated to inform users about the storage of their data. Individuals need to explicitly consent to the use of tracking cookies. However, the same does not apply to session cookies because without them the function of web pages would be seriously impaired. Session cookies are likely also going to be an exception in the ePrivacy regulations to be implemented by the end of 2023.