Cookies created by Piwik PRO

Note: If you want to follow strict data privacy laws, with Piwik PRO you can track your visitor’s behavior without creating cookies. Read more about collecting data without using cookies.

Piwik PRO sets first-party cookies in the visitor’s browser (except the deprecated stg_global_opt_out third-party cookie). Cookies are used to collect and store data about a visitor, their sessions and interactions with your site. Each module in Piwik PRO uses different kinds of cookies. Here’s a list of all cookies used by Piwik PRO.

Analytics

_pk_ses.<appID>.<domainHash>

Module: Analytics
Expires after: 30 minutes (can be changed)
Extends: Automatically
Type: First-party cookie

About: Shows an active session of the visitor. If the cookie isn’t present, the session has finished over 30 minutes ago and it was counted in a pk_id cookie.

_pk_id.<appID>.<domainHash>

Module: Analytics
Expires after: 13 months (can be changed)
Extends: No
Type: First-party cookie

About: Used to recognize visitors and hold their various properties.

Value: <visitorID>.<cookieCreationTimestamp>.<visitsCount>.<currentVisitTimestamp>.<lastVisitTimestamp>.<lastEcommerceOrderTimestamp>

  • visitorID: Value is generated via JavaScript when not provided otherwise.
  • cookieCreationTimestamp: Cookie creation time.
  • visitsCount: 0 means there are no previous visits.
  • currentVisitTimestamp: Current time. Refreshed with every user action.
  • lastVisitTimestamp: Time of the last visit. Empty if there are no previous visits. It is also used to increase the number of visits (together with the cookie pk_ses).
  • lastEcommerceOrderTimestamp: Time of the last ecommerce order. Empty if there are no ecommerce orders.

_pk_cvar

Module: Analytics
Expires after: 30 minutes (can be changed)
Extends: No
Type: First-party cookie

About: Holds custom variables that were set during the previous page view. It’s not enabled by default. Requires calling the storeCustomVariablesInCookie() method on the Javascript tracker object.

Value: Custom variable keys and values.

app_id

Module: Analytics
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Used to pass a site or app ID between Piwik PRO’s modules: Analytics, Tag Manager, Audience Manager, Consent Manager, Administration.

Value: A site or app ID.

piwik_auth (deprecated)

Module: Analytics (versions below 16.0.0)
Expires after: 24 minutes (can be changed)
Extends: Automatically
Type: First-party cookie

About: Stores session information for Piwik PRO’s user interface (UI). As long as this cookie is valid and contains a login and a token_auth parameter, a visitor is considered as a logged-in visitor, and a PIWIK_SESSID cookie will be refreshed.

Value: login=<userLogin>:token_auth=<tokenHash>:_=<signature>

  • userLogin: User’s login.
  • tokenHash: md5 hash created from a login and a token_auth parameter.
  • signature: Checksum

PIWIK_SESSID (deprecated)

Module: Analytics (versions below 16.0.0)
Expires after: 24 minutes (can be changed)
Extends: No
Type: First-party cookie

About: Stores a PHP session ID.

Value: A unique session identifier.

ppms_privacy_<appID>

Module: Consent Manager
Expires after: 365 days (can be changed), 30 minutes (for anonymous tracking)
Extends: Automatically
Type: First-party cookie

About: Stores visitor’s consent to data collection and usage.

Value: A JSON encoded object that holds visitor’s consent to data collection and usage.

  • -1: A visitor didn’t make any decision.
  • 0: A visitor didn’t agree to the use of their data.
  • 1: A visitor agreed to the use of their data.

Created if: You use Consent Manager and display the form on your site.

Decoded cookie:

{
   "consents":{
      "analytics":{
         "status":-1,
         "historyId":"8438dc88-b4ac-40a2-8f4d-4aa2b756f66b",
         "updatedAt":"2020-01-30T12:15:47.283Z"
      },
      "ab_testing_and_personalization":{
         "status":1,
         "historyId":"5233e88f-6e5a-4cac-893f-d9ffa410cb73",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "custom_consent":{
         "status":0,
         "historyId":"be4f1bbb-4ba7-4954-8c64-dc0333ab589a",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "user_feedback":{
         "status":0,
         "historyId":"d2b5f73b-9cbe-4ed6-aee0-88644c62be6a",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "marketing_automation":{
         "status":0,
         "historyId":"ce1dc131-22e7-4f0a-aafd-83bc0b1cff73",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "remarketing":{
         "status":1,
         "historyId":"210ec16b-22ae-446a-9799-57069167c08e",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "conversion_tracking":{
         "status":0,
         "historyId":"c4e868e6-058f-44b6-84a7-7c0d08aa0124",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      },
      "intro":{
         "historyId":"6c69aa2a-443f-41a1-ada2-75dd394fc782",
         "updatedAt":"2020-01-31T10:56:35.447Z"
      }
   },
   "visitorId":"564e3818-27e7-e38f-39dd-569067520af2",
   "domain":{
      "normalized":"client1.piwikpro.test",
      "isWildcard":false,
      "pattern":"client1.piwikpro.test"
   },
   "staleCheckpoint":"2020-01-31T10:56:27.699Z"
}

Tag Manager

_stg_debug / stg_debug

Module: Tag Manager
Expires after: 14 days
Extends: Automatically
Type: First-party cookie

About: Determines if the Tag Manager’s debugger should be displayed. A cookie is removed after you close the debugger.

Value: 1 when debug mode is turned on.

Created if: You use a stg_debug query parameter in the URL.

stg_traffic_source_priority

Module: Tag Manager
Expires after: 30 minutes
Extends: Automatically
Type: First-party cookie

About: Stores the type of traffic source that explains how the visitor reached your website.

Value:

  • 1: Direct
  • 2: Referral
  • 3: Social media
  • 4: Organic search
  • 5: Campaign

Created if:

  • Administration > Sites & apps > Privacy > Ask visitors for consent (on): You use the traffic source condition in a trigger.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off): You use the traffic source condition in a trigger.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on): A vistior enters your website.

stg_last_interaction

Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Determines whether the last visitor’s session is still in progress or a new session has started.

Value: A timestamp of the last interaction a visitor had on your website.

Created if:

  • Administration > Sites & apps > Privacy > Ask visitors for consent (on): You use a multiplicity condition in a trigger.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off): You use a multiplicity condition in a trigger.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on): A vistior navigates through your website.

stg_returning_visitor

Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Determines if the visitor has already been to your website — they are returning visitors.

Value: A timestamp of the last interaction a visitor had on your website.

Created if:

  • Administration > Sites & apps > Privacy > Ask visitors for consent (on): You use a returning-visitor condition in a trigger.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off): You use a returning-visitor condition in a trigger.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on): A visitor returns to your website.

stg_fired__<appID>

Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie

About: Determines if the combination of a tag and trigger was fired during the current visitor’s session.

Value: A timestamp of the moment when a tag is fired.

Created if: You use a multiplicity condition in a trigger, and a trigger is set to fire a tag once per session. A cookie is created after the tag is fired.

stg_utm_campaign

Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie

About: Stores a name of the campaign that directed the visitor to your website.

Value: An encoded value of an utm_campaign query parameter.

Created if:

  • Administration > Sites & apps > Privacy > Ask visitors for consent (on): You use the campaign condition in a trigger, and a visitor enters your website from a campaign with an utm_campaign query parameter.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off): You use the campaign condition in a trigger, and a visitor enters your website from a campaign with an utm_campaign query parameter.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on): A visitor enters your website from a campaign with an utm_campaign query parameter.

stg_pk_campaign

Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie

About: Stores a name of the campaign that directed the visitor to your website.

Value: An encoded value of a pk_campaign query parameter.

Created if:

  • Administration > Sites & apps > Privacy > Ask visitors for consent (on): You use the campaign condition in a trigger, and a visitor enters your website from a campaign with a pk_campaign query parameter.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off): You use the campaign condition in a trigger, and a visitor enters your website from a campaign with a pk_campaign query parameter.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on): A visitor enters your website from a campaign with a pk_campaign query parameter.

stg_externalReferrer

Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie

About: Stores an URL of a website that referred a visitor to your website.

Value: The window.location.origin value for a referral website.

Created if:

  • Administration > Sites & apps > Privacy > Ask visitors for consent (on): You use the external referrer condition in a trigger, and a visitor enters your website from a referral website.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (off): You use the external referrer condition in a trigger, and a visitor enters your website from a referral website.
  • Administration > Sites & apps > Privacy > Ask visitors for consent (off) and Administration > Sites & apps > Privacy > Use visitor cookies (on): A visitor enters your website from a referral website.

_stg_opt_out_simulate

Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Used to simulate the behavior of the opt-out snippet in the debugger. It turns off all tracking tags in the tested domain.

Value:

  • true: Opt-out simulation is turned on.
  • false: Opt-out simulation is turned off.

Created if: You turn on opt-out simulation in debug mode.

_stg_optout

Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Used to turn off all tracking tags in the tested domain.

Value:

  • true: A visitor opts out of tracking.
  • false: A visitor agrees to tracking.

Created if: A visitor opts out of tracking. (You use an opt-out snippet.)

stg_global_opt_out (deprecated)

Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: Third-party cookie

About: Used to turn off all tracking tags on websites that belong to one Piwik PRO account.

Value:

  • 1: A visitor opts out of tracking.
  • 0: A visitor agrees to tracking.

Created if: A third-party cookie is set when a visitor opts out of tracking. (You use a global opt-out snippet.)

Administration

csrftoken

Module: Administration
Expires after: 0 minutes
Extends: Automatically
Type: First-party cookie

About: This cookie is set only for Piwik PRO’s users. It stores a CSRF token for securing Piwik PRO’s forms.

Value: A randomly generated string.

sessionid

Module: Administration
Expires after: 30 minutes
Extends: Automatically
Type: First-party cookie

About: This cookie is set only for Piwik PRO’s users. It stores the session ID of the currently logged-in user.

Value: A randomly generated string.

Local storage

In addition to cookies, Piwik PRO uses local storage in the visitor’s browser to stack some information. Here’s what is kept in that storage.

ppms_webstorage

Module: Tag Manager, Consent Manager and Analytics

About: Prevents visitor’s data loss that may happen because of some mechanisms used by browsers, for example, Safari’s ITP.

Value: A stringified object that contains information about created cookies for each module. It stores data about each created cookie, such as a key, value, expiry date, path, domain, and more. This is the same data that was used to create a cookie.

Created if: Each time a cookie is set in the visitor’s browser.

Removed if: A ppms_webstorage item isn’t removed automatically. But a visitor can delete it manually. Single entries in the object are removed after a corresponding cookie expires.

ppms_data_store

Module: Audience Manager

About: Stores information from forms on your website. After a visitor submits a form, the data is passed to Audience Manager. But if a form redirects a visitor to another page, data may be lost. Therefore form data is kept in the local storage as a backup. (A page where a visitor is redirected needs to have a form tracker, otherwise Piwik PRO can’t collect form data.)

Value: A JSON encoded object that contains:

  • payload: AES encrypted form data.
  • aes: RSA encrypted AES key (for payload)
  • Iv: initialization vector (for payload)

Removed if: After the form tracker sends data to the server. It can happen right after a visitor submits a form or after a new page loads in their browser.

Was this article helpful?

Technical support

If you still have some questions, visit our community.
There’s always someone ready to help!

Back to help center