Cookies created for Piwik PRO users

When you use Piwik PRO as an analytics platform, it’ll set some cookies in your browser and use your local storage in order to run smoothly. Piwik PRO will also set tracking cookies to monitor your behavior and help us spot and resolve UX issues.

In this article, we’ll describe all the cookies that Piwik PRO may set in your browser.

Cookies created in a Piwik PRO user’s browser

Here’s a list of all cookies that let Piwik PRO work correctly.

Cookie Piwik PRO user Default cookie lifetime Module Cookie type
csrftoken Always 365 days Administration First-party
ppasid Always 30 minutes Administration First-party
ppas_session_saml_test Always 30 minutes Administration First-party
stg_debug Optional 14 days Tag Manager First-party
_stg_opt_out_simulate Optional Until the session ends Tag Manager First-party
Deprecated cookies used in versions below 18.3.0
app_id (deprecated) Always 365 days Analytics, Tag Manager, Consent Manager First-party
piwik_auth (deprecated) Always 24 minutes Analytics First-party
PIWIK_SESSID (deprecated) Always 24 minutes Administration First-party
SimpleSAMLAuthToken (deprecated) Always Until the session ends Administration First-party
SimpleSAMLSessionID (deprecated) Always Until the session ends Administration First-party

Note: Piwik PRO will also set the tracking cookies in your browser because we use our own analytics platform to collect user data.

Here’s a detailed description of each cookie.

csrftoken

Cookie: csrftoken
Module: Administration
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Stores a CSRF token to secure Piwik PRO forms.

Cookie value: A randomly generated string.

ppasid

Cookie: ppasid
Module: Administration
Expires after: 30 minutes
Extends: Automatically
Type: First-party cookie

About: Stores the session ID of the currently logged-in user.

Value: A randomly generated string.

ppas_session_saml_test

Cookie: ppas_session_saml_test
Module: Administration
Expires after: 30 minutes
Extends: No
Type: First-party cookie

About: Allows us to detect whether the user is in an SSO test process or not. It is automatically set to expired when the user is redirected back to the ACS endpoint from their identity provider.

Value: A randomly generated string.

stg_debug

Cookie: stg_debug
Module: Tag Manager
Expires after: 14 days after using debug mode 
Extends: Automatically
Type: First-party cookie

About: Helps to display your site in debug mode when you use Tag Manager. The cookie is removed after you quit debug mode.

Cookie value:

  • 1: Debug mode is turned on

Created if: You use debug mode by clicking the debug button in Tag Manager or by adding the stg_debug query parameter to your site’s URL.

_stg_opt_out_simulate

Cookie: _stg_opt_out_simulate
Module: Tag Manager
Expires after: The session ends
Extends: Automatically
Type: First-party cookie

About: Helps to simulate opt-out in debug mode in Tag Manager by turning off all tracking tags on the debugged site.

Cookie value:

  • true: Opt-out simulation is turned on.
  • false: Opt-out simulation is turned off.

Created if: You turn on opt-out simulation in debug mode.

app_id (deprecated)

Cookie: app_id (deprecated)
Module: Analytics, Tag Manager, Consent Manager
Expires after: 365 days
Extends: Automatically
Type: First-party cookie

About: Used to pass a site or app ID between Piwik PRO modules: Analytics, Tag Manager, Consent Manager.

Cookie value: A site or app ID.

Note: This cookie was removed in version 18.3.0, but for users who already have it set in their browsers, it’ll expire after a year.

piwik_auth (deprecated)

Cookie: piwik_auth (deprecated)
Module: Analytics (versions below 16.0.0)
Expires after: 24 minutes (can be changed)
Extends: Automatically
Type: First-party cookie

About: Stores user session data such as the user’s login and the token_auth parameter. If the cookie is valid, the user is considered logged-in and the PIWIK_SESSID cookie is updated.

Cookie value: login=<userLogin>:token_auth=<tokenHash>:_=<signature>

  • userLogin: User’s login.
  • tokenHash: The md5 hash created from the user’s login and the token_auth parameter.
  • signature: Checksum

PIWIK_SESSID (deprecated)

Cookie: PIWIK_SESSID (deprecated)
Module: Analytics (versions below 16.0.0)
Expires after: 24 minutes (can be changed)
Extends: No
Type: First-party cookie

About: Stores a PHP session ID.

Cookie value: A unique session identifier.

SimpleSAMLAuthToken (deprecated)

Cookie: SimpleSAMLAuthToken (deprecated)
Module: Administration
Expires after: The session ends
Extends: No
Type: First-party cookie

About: Helps to authenticate the user with IDP. This cookie is used by the SimpleSAMLphp library.

Cookie value: A randomly generated string.

Note: This cookie was removed in version 18.3.0.

SimpleSAMLSessionID (deprecated)

Cookie: SimpleSAMLSessionID (deprecated)
Module: Administration
Expires after: The session ends
Extends: No
Type: First-party cookie

About: Helps to authenticate the user with IDP. This cookie is used by the SimpleSAMLphp library.

Cookie value: A randomly generated string.

Note: This cookie was removed in version 18.3.0.

Local storage details

Piwik PRO stores some essential functional data in your local storage. This includes things like your chosen site or app, report date range and selected filters or lists.

Was this article helpful?

Technical support

If you still have any questions, visit our community.
There’s always someone happy to help!

Back to help center