The Cookies Guide

Distinguishes unique users by assigning a randomly generated client ID. Used by both Universal Analytics and GA4 properties.

GA4 session state cookie. Stores the current session ID and engagement state for the property; one is set per GA4 measurement ID.

Used by Universal Analytics to distinguish users over a 24-hour window. Largely deprecated since GA4 but still found on legacy sites.

Throttles the request rate to Google Analytics on high-traffic sites. Often appears as _gat_gtag_<id>.

Used by Google Tag Manager to throttle the request rate to Google Analytics. Set when GTM loads GA on the page.

Google Ads conversion-linker cookie. Stores ad-click information so conversions can be attributed outside Google's domain.

Google Ads click-through cookie set when a visitor lands on the site from a Google search ad. Used for attribution.

Google Ads / DoubleClick click-through cookie set when a visitor arrives from a Display Network ad.

Set by Google's Consent Mode v2 to store the timestamp of a Google Ads click when ad-storage consent has been granted. Used together with _gcl_gf to reconstruct attribution once the visitor consents.

Google Consent Mode v2 cookie that captures the gclid (Google Click Identifier) at click time when ad-storage consent has been granted. Pairs with _gcl_gs for delayed attribution.

Contains campaign-related information for the user. Linked to GA properties that have Google Ads auto-tagging enabled.

Used by Google DoubleClick to register and report on user actions after viewing or clicking an ad — for measuring effectiveness and serving targeted ads.

Set by doubleclick.net to determine if the user's browser supports cookies before serving ads.

Used by Google DoubleClick to identify a signed-in user across non-Google sites and remember whether they consented to ad personalisation.

Contains a unique ID Google uses to remember preferences (preferred language, ad personalisation) and to show targeted ads on Google services and across the web.

Records the visitor's consent decisions on Google properties. Set on google.com and propagated to embedded YouTube, reCAPTCHA, and Maps.

Used by Google to gather website statistics and track conversion rates. Set when Google domains are embedded (YouTube, reCAPTCHA, Maps).

Stores the user's consent state for Google services (e.g. cookie-banner choices on YouTube, Search). Read by Google embeds on third-party sites.

Google account session cookie. On third-party sites (via YouTube, Maps, or reCAPTCHA embeds) it enables Google to identify a signed-in visitor across the web — a tracking-capable identifier that requires consent in EU/UK contexts.

Companion to SID, signed to prevent forgery. On third-party sites surfaced through Google embeds, it contributes to cross-site visitor identification and ad personalisation.

Secure first-party variant of the Google account session cookie. When surfaced on a third-party site through a Google embed, it enables Google to identify the visitor across the web for ad and product personalisation.

Third-party variant of the Google account session cookie. Enables Google to deliver personalised ads across non-Google sites.

Set by Meta Pixel (used by both Facebook and Instagram Ads) to identify browsers for ad delivery, conversion tracking, and remarketing.

Stores the last-click ID (fbclid) from a Facebook or Instagram ad that brought the visitor to the site. Used for ad attribution and conversion tracking.

Alternative cookie name occasionally written by older Meta Pixel deployments and tag-manager templates. Functionally interchangeable with _fbp — used to identify the browser for ad delivery and conversion tracking. If both _fbp and _fbq appear on the same site, the pixel implementation is duplicated and should be consolidated.

Set by facebook.com when Meta widgets are embedded (Like button, comments, login). Used to deliver ads, measure ad performance, and personalise ad content across Facebook and Instagram.

Browser identifier set by facebook.com. On third-party sites that embed Meta widgets (Like button, comments, Login) it enables Meta to recognise the browser across sessions — a cross-site tracking signal that requires consent.

Browser identifier used by Meta for account-recovery flows and authentication security. Surfaced on third-party sites through Meta embeds, contributing to cross-site visitor identification.

Stores the Facebook / Instagram user ID of the signed-in visitor. When a third-party page loads a Meta embed, the cookie is sent to Meta — directly identifying the visitor across the web.

Session token authenticating signed-in Facebook / Instagram users. Sent to Meta from any third-party page embedding a Meta widget while the visitor is logged in to Meta.

Stores the visitor's browser window dimensions so Meta can render embeds at the correct size. Set on facebook.com.

Stores the visitor's chat and presence state for Facebook Messenger / Instagram Direct. Session-only.

Stores the user's language preference for Meta-rendered content (Like button, embeds, Messenger).

TikTok Pixel cookie used to track conversions, optimise ad delivery, and build remarketing audiences.

TikTok web identifier used for analytics and ad performance measurement across the TikTok ad network.

Set by TikTok Pixel to confirm whether the visitor's browser will accept TikTok cookies before firing tracking events.

CSRF protection token issued by TikTok. Although strictly necessary for TikTok-side interactions, on a third-party site it appears only when a TikTok video embed loads — making it part of the social-plugin tracking stack.

Internal TikTok request-routing token used to chain related requests across a session. On third-party sites it surfaces through TikTok embeds and contributes to cross-site identification.

Persistent TikTok web visitor ID used for cross-session attribution and ad measurement.

Used by LinkedIn Insight Tag to make a probabilistic match of a visitor's identity outside the designated countries.

LinkedIn browser ID cookie used to identify devices accessing LinkedIn for analytics, ad measurement, and personalisation.

Secure browser ID used for LinkedIn account security. On third-party sites it surfaces through LinkedIn embeds and forms part of LinkedIn's cross-site identity layer used for ad measurement and remarketing.

LinkedIn datacenter-routing cookie. Required for LinkedIn-rendered embeds to function correctly. Limited to load-balancing — case-by-case necessity assessment usually applies.

Used by LinkedIn for ID-syncing of advertising campaigns across user devices.

Stores information about the time a visitor's identity was synchronised with the lms_analytics cookie for LinkedIn analytics.

Stores the visitor's consent decisions for use of non-essential cookies on LinkedIn properties.

Used by X (formerly Twitter) to integrate and share features for social media and to personalise content and ads across the X ad network.

Used by X to identify and track website visitors (including non-logged-in users) for embedded content, analytics, and ads.

Set by X to measure and improve the relevance of advertising shown on the X platform and via the X Audience Platform on third-party sites.

Guest token used by X to authorise non-logged-in visitors when loading embedded tweets and timelines. Required for the embed to render — case-by-case necessity assessment when the embed itself is optional.

Used by Pinterest for tracking purposes and to enable users to share content via the Pinterest social network.

Pinterest uses this cookie to group actions for users who cannot be identified by Pinterest (non-logged-in visitors).

Used by the Pinterest conversion tag to attribute on-site events to Pinterest ad campaigns.

Snapchat Pixel browser identifier used to track conversions and measure the effectiveness of Snapchat ads.

Snapchat authentication / ad-attribution cookie used to associate visitors with Snapchat ad clicks.

Reddit Pixel visitor identifier. Used to measure conversions, build remarketing audiences, and attribute on-site events to Reddit ad clicks.

Criteo's primary retargeting cookie. Stores an encoded bundle that links the visitor to Criteo's ad-bidding profile for personalised display ads.

Used by Criteo to determine the highest-level domain on which it can set cookies. Set briefly during the test, then expires.

Stores a Criteo identifier copied from a related domain to maintain retargeting state across multiple TLDs.

Criteo session identifier used to deduplicate ad impressions and conversion events within a single browsing session.

Microsoft Bing Ads UET (Universal Event Tracking) session cookie. Used for conversion measurement and audience building for Bing/Microsoft Ads campaigns.

Microsoft Bing Ads UET visitor cookie. Persistent ID used for cross-session attribution and remarketing for Microsoft Advertising.

Microsoft user identifier set on bing.com and microsoft.com. Used for user identification, ad personalisation, and analytics across Microsoft properties — including Bing Ads on third-party sites.

Set by bing.com to register a unique ID that identifies a returning user's device for Bing Ads remarketing.

Used by Microsoft Clarity / Bing to validate analytics data and prevent fraudulent UET event submissions.

Used by Microsoft to indicate whether to refresh the MUID cookie. Supports Bing Ads attribution and audience syncing.

Hotjar user ID cookie. Ensures data from subsequent visits to the same site is attributed to the same user.

Hotjar session cookie. Holds current session data so subsequent requests in the session window are attributed correctly.

Identifies a new user's first session and indicates whether or not Hotjar's seeing this user for the first time.

Set so Hotjar can determine whether the visitor is included in the data sampling defined by the site's pageview limit.

Used by Hotjar to detect a visitor's first pageview session and prevent it being counted multiple times.

Records that the visitor has opted out of Hotjar tracking via the provider's universal opt-out endpoint. While set, Hotjar will not record new sessions, recordings, or surveys for the browser. Functional rather than analytics: it exists specifically to suppress tracking, not to enable it.

Persists the Clarity user ID and preferences unique to the site, so visits to the same site are attributed to the same user.

Connects multiple Clarity page views by a user into a single session recording.

Segment-generated anonymous visitor identifier. Used to attribute events from non-logged-in users to a stable ID across sessions before they identify.

Segment user identifier set after a visitor calls analytics.identify(). Used to forward identified events to downstream tools (Mixpanel, Amplitude, etc.).

Stores the Amplitude device and user ID, plus session metadata, so behavioural events can be attributed to a stable user across visits.

Optimizely visitor identifier used to bucket users into A/B test variants and measure experiment exposure consistently across visits.

HubSpot main analytics cookie tracking visitors. Contains domain, utk, initial timestamp, last timestamp, current timestamp, and session number.

HubSpot user token. Identifies a unique visitor and is passed to HubSpot on form submission for contact deduplication.

HubSpot session cookie. Tracks sessions: incremented on each new pageview within 30 minutes.

HubSpot session-restart flag. Set to 1 when HubSpot detects that the visitor has started a new browser session.

HubSpot Messages identifier. Used by the HubSpot chat widget to recognise returning visitors and continue prior chat threads.

Anonymous Intercom visitor identifier used to maintain conversation history for non-logged-in users.

Identifies a logged-in Intercom user and grants access to Messenger and conversation history without re-authentication.

Cloudflare bot-management cookie. Distinguishes bots from human visitors and is necessary for site security and Bot Management.

Cloudflare rate-limiting cookie. Used to identify trusted web traffic and protect origin servers from abuse.

Set after a visitor passes a Cloudflare challenge (CAPTCHA, JavaScript challenge, Managed Challenge). Required for site access.

Stripe machine-identifier cookie used for fraud prevention on payment forms.

Stripe session-identifier cookie used for fraud prevention on payment forms.

PayPal fraud-prevention and security cookie used during checkout.

Shopify long-term visitor analytics cookie used for tracking returning customers and personalising recommendations.

Shopify session analytics cookie used to track the current visit.

Shopify shopping-cart identifier used to associate cart contents with the visitor's browser.

Shopify secure session cookie used for checkout and authenticated areas of the storefront.

WooCommerce cart-hash cookie. Indicates when the cart contents change so the front-end can reload cart fragments.

WooCommerce cart-items counter. Tracks the number of items currently in the cart.

WooCommerce session cookie. Holds a unique code for the customer so cart and order data can be retrieved from the database.

Set when a user logs in to WordPress. Used by the WordPress interface to keep the user signed in.

Persists logged-in WordPress users' admin interface preferences (e.g., dashboard layout).

PrestaShop session cookie. Stores cart, user, and language state for the storefront.

PHP session-identifier cookie. Used by PHP-based platforms (Magento, Drupal, custom apps) to maintain user session state.

Mailchimp marketing cookie used to identify the visitor and link form submissions to a Mailchimp audience.

Klaviyo identifier cookie. Tracks the visitor across sessions for email campaign attribution and audience syncing.