Anti-Bot

What Is a Session Cookie?

By the Scrappey Research Team

What Is a Session Cookie? — conceptual illustration
On this page

A session cookie is an HTTP cookie with no Max-Age or Expires attribute, so the browser keeps it only in memory and throws it away when the browsing session ends. A cookie is just a small piece of data a server hands to the browser to remember it between requests; a session cookie is the most basic kind, defined in RFC 6265. The server sets it with a Set-Cookie header, and the browser sends it back on every later request in the same session. It is also called an in-memory cookie, transient cookie, or non-persistent cookie. Login state, shopping carts, and most anti-bot trust tokens (_abck, cf_clearance, datadome, reese84) are session cookies.

Quick facts

Defining attributeAbsence of Max-Age and Expires in Set-Cookie
StorageBrowser RAM — not written to disk in most browsers
LifetimeUntil the browsing session ends (browser-defined)
StandardRFC 6265 (HTTP State Management Mechanism, 2011)
Also known asIn-memory cookie, transient cookie, non-persistent cookie

How session cookies work

A server creates a session cookie by sending a Set-Cookie response header that has no Max-Age and no Expires attribute — those are the two things that would give it a lifespan:

HTTP/1.1 200 OK
Set-Cookie: sessionId=abc123; Path=/; HttpOnly; Secure; SameSite=Lax

The browser holds this cookie in memory (not on disk) and automatically attaches it to the Cookie header of every later request to the same origin during the same session:

GET /account HTTP/1.1
Cookie: sessionId=abc123

Close the browser and the cookie disappears. On the next visit the server sees no sessionId, so it treats you as a brand-new visitor — there is nothing left to recognise you by.

By default, per RFC 6265, the cookie goes back only to the exact origin server that set it (not its subdomains) unless the Domain attribute widens that scope. The Path attribute can do the opposite and limit which URLs receive the cookie.

The five attributes that change behaviour

Even with no Expires/Max-Age, a Set-Cookie header can carry several other attributes that meaningfully change how the session cookie behaves:

  • HttpOnly — JavaScript cannot read the cookie through document.cookie. This matters because it blocks XSS attacks (malicious scripts injected into a page) from stealing session IDs. A session cookie missing this flag is a security bug.
  • Secure — the cookie is sent only over HTTPS (encrypted) connections, never plain HTTP. Every modern session cookie should have it.
  • SameSite=Lax | Strict | None — controls whether the cookie rides along on requests coming from other sites. Lax (today's default) sends it when you click through to the site but not on cross-site sub-requests like <img> tags or XHR (background JavaScript fetches). Strict blocks every cross-site request. None allows full cross-site sending but requires Secure — used by embedded widgets and federated login. Most CSRF protection (defence against forged cross-site requests) comes from SameSite=Lax.
  • Domain — widens the cookie from origin-only to a whole parent domain (e.g. Domain=example.com makes it visible to api.example.com, www.example.com, and so on). Without it, RFC 6265 keeps the cookie tied to the exact origin that set it.
  • Path — restricts the cookie to certain URL paths (e.g. Path=/account sends it on /account/* but not /blog/*). Used less often.

A modern, well-configured session cookie looks like:

Set-Cookie: sessionId=abc123; Path=/; HttpOnly; Secure; SameSite=Lax

Session cookies in anti-bot systems

Nearly every major anti-bot vendor stores its session-level trust in a session cookie. The cookie is the visible sign that a client has passed — or is currently being scored against — the vendor's detection model. Examples:

  • _abckAkamai Bot Manager. Its value starts at ~-1~ (untrusted) and flips to ~0~ only after sensor.js POSTs valid signals. Trust builds up over the session.
  • cf_clearanceCloudflare. Shows the client solved a JavaScript challenge or a Turnstile interaction.
  • datadomeDataDome. Scored per request, but the cookie tags sessions already seen and lightly trusted.
  • reese84F5 Shape Security. A validated session token from its custom JS VM; expires in minutes.
  • _px3 / _pxdePerimeterX / HUMAN Security. Carries the 5-vector fingerprint score.
  • x-kpsdk-ctKasada. A single-use proof-of-work token, not reusable across requests.

By RFC 6265's definition these are all session cookies — no Expires or Max-Age, lifetime tied to the browser session. That has a real consequence for scrapers: swapping proxies in the middle of a session throws away the trust those cookies built up, which is why ISP static residential IPs are preferred over rotating residential for Akamai targets.

The takeaway: when an anti-bot vendor talks about "session-level scoring", they almost always mean a session cookie they control. Knowing which cookie they set, what state values to expect, and when the state flips is half the work of handling the vendor's verification flow.

Security and privacy considerations

  • Session fixation. If an attacker can plant a session cookie value (via a subdomain takeover, a network MITM — man-in-the-middle interception — or a too-permissive Domain attribute), they can hijack the victim's session after the victim logs in. Defence: regenerate the session ID at every privilege boundary (login, role change) and always set HttpOnly + Secure + SameSite=Lax.
  • Session hijacking via XSS. Without HttpOnly, injected JavaScript can read document.cookie and ship the session ID off to an attacker-controlled URL. The HttpOnly flag is the single most important protection for session cookies; it should be on by default for every one of them.
  • GDPR and consent. Strictly necessary session cookies (login, shopping cart, CSRF tokens) need no consent under GDPR. Analytics and tracking cookies do — even when they are technically session cookies in the RFC sense. The legal line is drawn by purpose, not by lifetime.
  • Third-party session cookies. Chrome's 2024 phase-out of third-party cookies killed the cross-site session cookie use case (federated login, ad attribution). First-party session cookies are untouched and remain core to web authentication.
  • Session cookie length. Common in 2026: 128–256 bits of entropy (entropy here meaning how hard the value is to guess), base64 or URL-safe encoded. Shorter is brute-forceable; longer is wasteful. Always generated server-side from a CSPRNG (a cryptographically secure random generator), never from time or user data.

Code example

python
# How session cookies behave in scraping — preserve them across requests
from curl_cffi import requests

# 1. Use a Session — cookies persist across .get() / .post() calls
s = requests.Session(impersonate="chrome131")

# 2. Warm-up request: server sets the session cookie
r1 = s.get(
    "https://target.example.com/",
    proxies={"https": "http://user:pass@isp-residential:port"},
)
# Inspect what was set — anti-bot vendors usually mark their cookie here
for name in s.cookies.keys():
    if name in ("_abck", "cf_clearance", "datadome", "reese84", "_px3"):
        print(f"Anti-bot session cookie set: {name}")

# 3. Subsequent request — Session re-sends the cookie automatically
r2 = s.get(
    "https://target.example.com/api/protected",
    proxies={"https": "http://user:pass@isp-residential:port"},
)
# Same Session, same IP, same cookies — trust accumulates on multi-request
# scored vendors like Akamai.

# 4. To clear and start a new session: instantiate a new Session().
# Closing the Python process is the HTTP equivalent of closing the browser.

Related terms

What Is Akamai Bot Manager?
Akamai Bot Manager is an enterprise tool that websites use to tell real visitors apart from bots, and it guards roughly 30% of the Fortune 5…
What Is DataDome?
DataDome is a bot-protection vendor used on hundreds of enterprise sites, scoring more than 5 trillion signals per day. Its job is to tell r…
What Is PerimeterX (HUMAN)?
PerimeterX, now operating as part of HUMAN Security, is a bot-protection vendor whose biggest asset is its network. Bot protection means sof…
What Is an ISP Proxy?
An ISP proxy (also called a \"static residential\" proxy) is a fixed IP address that physically sits in a datacenter but is registered to a …
What Is Stateful Web Scraping?
Stateful web scraping means keeping the same identity across many requests - the same cookies, session tokens, browser fingerprint, and prox…
What Is Favicon Fingerprinting (Supercookies)?
Favicon fingerprinting (the "Supercookie" technique) abuses the browser's separate, long-lived favicon cache to store a persistent identifie…
What Is Imperva Incapsula?
Imperva Incapsula is the enterprise WAF and bot-protection product from Imperva (acquired by Thales in 2023). A WAF (web application firewal…

Concept map

How Session Cookie connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

How long does a session cookie last?

Until the browsing session ends, and the browser decides what that means. In practice it usually lasts until you close the browser — but browsers with "session restoration" turned on can keep session cookies across restarts. RFC 6265 intentionally leaves the meaning of "session ends" to the browser, so the answer depends on the browser, its configuration, and whether the user actually closed it or just shut the laptop lid.

What is the difference between a session cookie and a persistent cookie?

A session cookie has no Max-Age or Expires attribute, so the browser keeps it only in memory and deletes it when the session ends. A persistent cookie has one of those attributes, so the browser writes it to disk and holds it until the set expiration date. Lifetime is the only difference — on the network the format, transmission, and behaviour are identical.

Are session cookies safe?

A session cookie with the HttpOnly, Secure, and SameSite=Lax attributes is the safe modern default. HttpOnly blocks JavaScript from reading it (stopping XSS theft). Secure keeps it on HTTPS only. SameSite=Lax blocks most CSRF (forged cross-site request) attacks. Missing any of the three, a session cookie can be stolen via XSS, leaked over plain HTTP, or abused in cross-site requests.

Do I need cookie consent for session cookies under GDPR?

Only if they are not strictly necessary. Login cookies, shopping cart cookies, and CSRF tokens count as strictly necessary and are exempt from consent under GDPR Article 5(3) of the ePrivacy Directive. Session cookies used for analytics, tracking, or advertising still need consent — the legal line is the purpose, not the technical lifetime.

Why do anti-bot vendors use session cookies?

Because the trust score they give a client grows over many requests. Keeping that score in a session cookie lets it travel with the client around the site without re-running the full fingerprint check on every request. _abck, cf_clearance, datadome, reese84, and _px3 are all session cookies precisely so they can carry session-bounded trust without sticking around beyond it.

Can I read a session cookie from JavaScript?

Only if it lacks the HttpOnly flag. Cookies with HttpOnly are invisible to document.cookie and any client-side script — they live only at the HTTP protocol layer. That is by design, to protect session IDs from being stolen by XSS. If you control the server and need a session ID, set HttpOnly and read it server-side; never trust client-side JavaScript with authentication tokens.

What happens to my session cookie if I clear browser cookies?

It is deleted right away, like any other cookie. Your next request to that site arrives with no session cookie, so the server treats you as a fresh visitor — you are logged out, your cart is empty, and any session-scoped state is gone. It is the user-side equivalent of restarting the server-side session, with the same result.

Last updated: 2026-05-31