Piwik PRO sets first-party cookies in the visitor’s browser (except the deprecated stg_global_opt_out third-party cookie). Cookies are used to collect and store data about a visitor, their sessions and interactions with your site. Each module in Piwik PRO uses different kinds of cookies. Here’s a list of all cookies used by Piwik PRO.
Analytics
_pk_ses.<appID>.<domainHash>
Module: Analytics
Expires after: 30 minutes (can be changed)
Extends: Automatically
Type: First-party cookie
About: Shows an active session of the visitor. If the cookie isn’t present, the session has finished over 30 minutes ago and it was counted in a pk_id cookie.
_pk_id.<appID>.<domainHash>
Module: Analytics
Expires after: 13 months (can be changed)
Extends: No
Type: First-party cookie
About: Used to recognize visitors and hold their various properties.
Value: <visitorID>.<cookieCreationTimestamp>.<visitsCount>.<currentVisitTimestamp>.<lastVisitTimestamp>.<lastEcommerceOrderTimestamp>
- visitorID: Value is generated via JavaScript when not provided otherwise.
- cookieCreationTimestamp: Cookie creation time.
- visitsCount: 0 means there are no previous visits.
- currentVisitTimestamp: Current time. Refreshed with every user action.
- lastVisitTimestamp: Time of the last visit. Empty if there are no previous visits. It is also used to increase the number of visits (together with the cookie pk_ses).
- lastEcommerceOrderTimestamp: Time of the last ecommerce order. Empty if there are no ecommerce orders.
_pk_cvar
Module: Analytics
Expires after: 30 minutes (can be changed)
Extends: No
Type: First-party cookie
About: Holds custom variables that were set during the previous page view. It’s not enabled by default. Requires calling the storeCustomVariablesInCookie() method on the Javascript tracker object.
Value: Custom variable keys and values.
app_id
Module: Analytics
Expires after: 365 days
Extends: Automatically
Type: First-party cookie
About: Used to pass a site or app ID between Piwik PRO’s modules: Analytics, Tag Manager, Audience Manager, Consent Manager, Administration.
Value: A site or app ID.
piwik_auth (deprecated)
Module: Analytics (versions below 16.0.0)
Expires after: 24 minutes (can be changed)
Extends: Automatically
Type: First-party cookie
About: Stores session information for Piwik PRO’s user interface (UI). As long as this cookie is valid and contains a login and a token_auth parameter, a visitor is considered as a logged-in visitor, and a PIWIK_SESSID cookie will be refreshed.
Value: login=<userLogin>:token_auth=<tokenHash>:_=<signature>
- userLogin: User’s login.
- tokenHash: md5 hash created from a login and a token_auth parameter.
- signature: Checksum
PIWIK_SESSID (deprecated)
Module: Analytics (versions below 16.0.0)
Expires after: 24 minutes (can be changed)
Extends: No
Type: First-party cookie
About: Stores a PHP session ID.
Value: A unique session identifier.
Consent Manager
ppms_privacy_<appID>
Module: Consent Manager
Expires after: 365 days (can be changed), 30 minutes (for anonymous tracking)
Extends: Automatically
Type: First-party cookie
About: Stores visitor’s consent to data collection and usage.
Value: A JSON encoded object that holds visitor’s consent to data collection and usage.
- -1: A visitor didn’t make any decision.
- 0: A visitor didn’t agree to the use of their data.
- 1: A visitor agreed to the use of their data.
Created if: You use Consent Manager and display the form on your site.
Decoded cookie:
{
"consents":{
"analytics":{
"status":-1,
"historyId":"8438dc88-b4ac-40a2-8f4d-4aa2b756f66b",
"updatedAt":"2020-01-30T12:15:47.283Z"
},
"ab_testing_and_personalization":{
"status":1,
"historyId":"5233e88f-6e5a-4cac-893f-d9ffa410cb73",
"updatedAt":"2020-01-31T10:56:35.447Z"
},
"custom_consent":{
"status":0,
"historyId":"be4f1bbb-4ba7-4954-8c64-dc0333ab589a",
"updatedAt":"2020-01-31T10:56:35.447Z"
},
"user_feedback":{
"status":0,
"historyId":"d2b5f73b-9cbe-4ed6-aee0-88644c62be6a",
"updatedAt":"2020-01-31T10:56:35.447Z"
},
"marketing_automation":{
"status":0,
"historyId":"ce1dc131-22e7-4f0a-aafd-83bc0b1cff73",
"updatedAt":"2020-01-31T10:56:35.447Z"
},
"remarketing":{
"status":1,
"historyId":"210ec16b-22ae-446a-9799-57069167c08e",
"updatedAt":"2020-01-31T10:56:35.447Z"
},
"conversion_tracking":{
"status":0,
"historyId":"c4e868e6-058f-44b6-84a7-7c0d08aa0124",
"updatedAt":"2020-01-31T10:56:35.447Z"
},
"intro":{
"historyId":"6c69aa2a-443f-41a1-ada2-75dd394fc782",
"updatedAt":"2020-01-31T10:56:35.447Z"
}
},
"visitorId":"564e3818-27e7-e38f-39dd-569067520af2",
"domain":{
"normalized":"client1.piwikpro.test",
"isWildcard":false,
"pattern":"client1.piwikpro.test"
},
"staleCheckpoint":"2020-01-31T10:56:27.699Z"
}
Tag Manager
_stg_debug / stg_debug
Module: Tag Manager
Expires after: 14 days
Extends: Automatically
Type: First-party cookie
About: Determines if the Tag Manager’s debugger should be displayed. A cookie is removed after you close the debugger.
Value: 1 when debug mode is turned on.
Created if: You use a stg_debug query parameter in the URL.
stg_traffic_source_priority
Module: Tag Manager
Expires after: 30 minutes
Extends: Automatically
Type: First-party cookie
About: Stores the type of traffic source that explains how the visitor reached your website.
Value:
- 1: Direct
- 2: Referral
- 3: Social media
- 4: Organic search
- 5: Campaign
Created if: You use the traffic source condition in a trigger.
stg_last_interaction
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie
About: Determines whether the last visitor’s session is still in progress or a new session has started.
Value: A timestamp of the last interaction a visitor had on your website.
Created if: You use a multiplicity condition in a trigger.
stg_returning_visitor
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie
About: Determines if the visitor has already been to your website — they are returning visitors.
Value: A timestamp of the last interaction a visitor had on your website.
Created if: You use a returning-visitor condition in a trigger.
stg_fired__<appID>
Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie
About: Determines if the combination of a tag and trigger was fired during the current visitor’s session.
Value: A timestamp of the moment when a tag is fired.
Created if: You use a multiplicity condition in a trigger, and a trigger is set to fire a tag once per session. A cookie is created after the tag is fired.
stg_utm_campaign
Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie
About: Stores a name of the campaign that directed the visitor to your website.
Value: An encoded value of an utm_campaign query parameter.
Created if: You use the campaign condition in a trigger, and a visitor enters your website from a campaign with an utm_campaign query parameter.
stg_pk_campaign
Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie
About: Stores a name of the campaign that directed the visitor to your website.
Value: An encoded value of a pk_campaign query parameter.
Created if: You use the campaign condition in a trigger, and a visitor enters your website from a campaign with a pk_campaign query parameter.
stg_externalReferrer
Module: Tag Manager
Expires after: The session ends. (Fixed idle time or after a browser is closed.)
Extends: No
Type: First-party cookie
About: Stores an URL of a website that referred a visitor to your website.
Value: The window.location.origin value for a referral website.
Created if: You use the external referrer condition in a trigger, and a visitor enters your website from a referral website.
_stg_opt_out_simulate
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie
About: Used to simulate the behavior of the opt-out snippet in the debugger. It turns off all tracking tags in the tested domain.
Value:
- true: Opt-out simulation is turned on.
- false: Opt-out simulation is turned off.
Created if: You turn on opt-out simulation in debug mode.
_stg_optout
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie
About: Used to turn off all tracking tags in the tested domain.
Value:
- true: A visitor opts out of tracking.
- false: A visitor agrees to tracking.
Created if: A visitor opts out of tracking. (You use an opt-out snippet.)
stg_global_opt_out (deprecated)
Module: Tag Manager
Expires after: 365 days
Extends: Automatically
Type: Third-party cookie
About: Used to turn off all tracking tags on websites that belong to one Piwik PRO account.
Value:
- 1: A visitor opts out of tracking.
- 0: A visitor agrees to tracking.
Created if: A third-party cookie is set when a visitor opts out of tracking. (You use a global opt-out snippet.)
Administration
csrftoken
Module: Administration
Expires after: 8 hours
Extends: Automatically
Type: First-party cookie
About: This cookie is set only for Piwik PRO’s users. It stores a CSRF token for securing Piwik PRO’s forms.
Value: A randomly generated string.
sessionid
Module: Administration
Expires after: 8 hours
Extends: Automatically
Type: First-party cookie
About: This cookie is set only for Piwik PRO’s users. It stores the session ID of the currently logged-in user.
Value: A randomly generated string.
Local storage
In addition to cookies, Piwik PRO uses local storage in the visitor’s browser to stack some information. Here’s what is kept in that storage.
ppms_webstorage
Module: Tag Manager, Consent Manager and Analytics
About: Prevents visitor’s data loss that may happen because of some mechanisms used by browsers, for example, Safari’s ITP.
Value: A stringified object that contains information about created cookies for each module. It stores data about each created cookie, such as a key, value, expiry date, path, domain, and more. This is the same data that was used to create a cookie.
Created if: Each time a cookie is set in the visitor’s browser.
Removed if: A ppms_webstorage item isn’t removed automatically. But a visitor can delete it manually. Single entries in the object are removed after a corresponding cookie expires.
ppms_data_store
Module: Audience Manager
About: Stores information from forms on your website. After a visitor submits a form, the data is passed to Audience Manager. But if a form redirects a visitor to another page, data may be lost. Therefore form data is kept in the local storage as a backup. (A page where a visitor is redirected needs to have a form tracker, otherwise Piwik PRO can’t collect form data.)
Value: A JSON encoded object that contains:
- payload: AES encrypted form data.
- aes: RSA encrypted AES key (for payload)
- Iv: initialization vector (for payload)
Removed if: After the form tracker sends data to the server. It can happen right after a visitor submits a form or after a new page loads in their browser.