Cisco Web Security Appliance

What are cookies? What are the differences between them (session vs. persistent)?

Document ID: 117925

Updated: Jul 15, 2014

Contributed by Stephan Fiebrandt, Cisco TAC Engineers.



This document describes what HTTP cookies are and what the difference is between session cookies and persistent cookies.

Background Information

Cookies are strings of data that a web server sends to the browser. When a browser requests an object from the same domain in the future, the browser will send the same string of date back to the origin server.

The data is sent from the web server in the form of an HTTP header called "Set-Cookie". The browser sends the cookie back to te server in an HTTP header called "Cookie".

The following is an example of what an HTTP cookie transaction may look like:

HTTP response from web server:

Set-Cookie: first.lastname

HTTP GET from the client:

Cookie: first.lastname

In the above sample transaction, the web server told the client to create the cookie "first.lastname". The next time the client requests an object from this domain it sends the cookie wihin the request. This illustrates how a web server may be able to recall certain information such as user logins.

There are 2 different types of cookies: Session cookies and persistent cookies

If a cookie does not contain an expiration date, it is considered a session cookie. Session cookies are stored in memory and never written to disk. When the browers closes the cookie is permanently lost from this point on.

If the cookie contains an expiration date, it is considered a persistent cookie. On the date specified in the expiration, the cookie will be removed from the disk. 

There are several different fields a cookie can contain, seperated by semicolons. Definitions are below:


expires="Wdy, DD-Mon-YYYY HH:MM:SS GMT"

Determines when the cookie is to be deleted.



Determines what path to return the cookie on. In this example, the cookie will be sent when going to the root path in a domain.


Specifies  what domain the cookie is used for. If this does not match the domain currently being browsed to, it is considered to be a "3rd Party cookie" and will be rejected by the browser. This prevents one domain setting a cookie for a different domain.

Updated: Jul 15, 2014
Document ID: 117925