What is a cookie?
A cookie is a small key–value store the browser keeps for a domain. Servers set it via the Set-Cookie header; the browser sends it back on matching requests. In analytics, cookies help distinguish users and stitch hits into a Session, attribute traffic (e.g., Referrer and UTM), and persist identifiers such as a Client ID.
How do cookies work?
On response, the site sets one or more cookies with attributes (name, value, expiry, Secure, HttpOnly, SameSite). On subsequent requests to the same domain (and path/scheme per attributes), the browser automatically includes those cookies. Analytics tools—Google Analytics, Matomo, Plausible, Simple Analytics, etc.—typically use first-party cookies to mark returning browsers and bind events like Pageview and Event.
Types commonly used in analytics
| Type | Lifetime | Typical use |
|---|---|---|
| Session | Until browser/tab closes | Tie hits within a single Session |
| Persistent | Hours–months (per expiry) | Recognize returning browsers; cap banners/tests |
| First-party | Set on current site’s domain | IDs for attribution, Cross-Domain Tracking bridging |
| Secure/HttpOnly/SameSite | Attribute flags | Mitigate theft/CSRF; control cross-site behavior |
Note: Third-party cookies (set by a different domain) are widely blocked/deprecated and should not be relied upon for measurement.
Why it matters
- Attribution & Cohorts: Stable client IDs improve channel accuracy and cohorting. See Attribution.
- Experimentation & UX: Store assignments for A/B tests and hide repetitive Cookie Banner prompts.
- Compliance: Consent rules like GDPR require purpose-limited storage and opt-in/opt-out handling.
Implementation notes & best practices
- Prefer first-party cookies with reasonable expiries; rotate identifiers when policy or consent changes. See First-Party Cookie.
- Set
Secure,HttpOnly, and appropriateSameSite(Laxby default;None+Secureonly when truly needed, e.g., cross-site auth). - Keep payloads tiny (IDs, not PII). Avoid personally identifiable data entirely.
- For consented analytics, gate cookie writes behind your CMP; for “cookieless” modes, consider server-side or aggregate techniques while preserving metrics quality.
- Document each cookie: name, purpose, expiry, scope, and data controller—then expose it via your Cookie Banner.