Cookiesentry

Cookie checkerFeaturesPricingBlogContact
Home/Cookies Guide/Cookies that do not require consent
Back to all cookies
Consent hub

Cookies that do not require consent

These cookies are exempt only when they are strictly necessary to provide a service the visitor explicitly asked for, such as maintaining login state, carts, fraud prevention, or payment continuity.

Cookie entries

14

Categories covered

1

Main question answered

Cookies that do not require consent

GDPR and ePrivacy position

The exemption is narrow. If the same script also performs analytics, personalization, or marketing functions, the no-consent argument quickly falls apart.

Exempt cookies still need to be documented transparently. The fact that consent is not required does not remove your duty to explain purpose, provider, and expiry.

Functional cookies are not included here because many of them require a separate necessity assessment rather than relying on the strict exemption.

Audit checklist

  • Map each cookie to a requested service such as login, cart, checkout, or security.
  • Keep exempt cookies separate from analytics or advertising tags in implementation and documentation.
  • Publish a clear cookie policy entry for every exempt cookie.
  • Reassess the exemption whenever the related feature or vendor changes.

Categories covered on this page

Essential

Reference guide to essential cookies: what counts as strictly necessary, when consent is not required, and which implementation mistakes still create GDPR risk.

Cookies that do not require consent reference list

__cf_bmEssentialNo consent required

Cloudflare bot-management cookie. Distinguishes bots from human visitors and is necessary for site security and Bot Management.

Expires: 30 minutes
Cloudflare, Inc.
Cloudflare
__cfruidEssentialNo consent required

Cloudflare rate-limiting cookie. Used to identify trusted web traffic and protect origin servers from abuse.

Expires: Session
Cloudflare, Inc.
Cloudflare
cf_clearanceEssentialNo consent required

Set after a visitor passes a Cloudflare challenge (CAPTCHA, JavaScript challenge, Managed Challenge). Required for site access.

Expires: 30 minutes to 1 year (configurable)
Cloudflare, Inc.
Cloudflare
__stripe_midEssentialNo consent required

Stripe machine-identifier cookie used for fraud prevention on payment forms.

Expires: 1 year
Stripe Payments Europe Ltd.
Stripe
__stripe_sidEssentialNo consent required

Stripe session-identifier cookie used for fraud prevention on payment forms.

Expires: 30 minutes
Stripe Payments Europe Ltd.
Stripe
ts_cEssentialNo consent required

PayPal fraud-prevention and security cookie used during checkout.

Expires: 3 years
PayPal (Europe) S.à r.l. et Cie, S.C.A.
PayPal
cartEssentialNo consent required

Shopify shopping-cart identifier used to associate cart contents with the visitor's browser.

Expires: 2 weeks
Shopify International Ltd.
Shopify
_secure_session_idEssentialNo consent required

Shopify secure session cookie used for checkout and authenticated areas of the storefront.

Expires: 24 hours
Shopify International Ltd.
Shopify
woocommerce_cart_hashEssentialNo consent required

WooCommerce cart-hash cookie. Indicates when the cart contents change so the front-end can reload cart fragments.

Expires: Session
Automattic, Inc.
WooCommerce
woocommerce_items_in_cartEssentialNo consent required

WooCommerce cart-items counter. Tracks the number of items currently in the cart.

Expires: Session
Automattic, Inc.
WooCommerce
wp_woocommerce_session_<hash>EssentialNo consent required

WooCommerce session cookie. Holds a unique code for the customer so cart and order data can be retrieved from the database.

Expires: 2 days
Automattic, Inc.
WooCommerce
wordpress_logged_in_<hash>EssentialNo consent required

Set when a user logs in to WordPress. Used by the WordPress interface to keep the user signed in.

Expires: Session or 14 days (with Remember Me)
WordPress Foundation
WordPress
PrestaShop-<hash>EssentialNo consent required

PrestaShop session cookie. Stores cart, user, and language state for the storefront.

Expires: 20 days
PrestaShop SA
PrestaShop
PHPSESSIDEssentialNo consent required

PHP session-identifier cookie. Used by PHP-based platforms (Magento, Drupal, custom apps) to maintain user session state.

Expires: Session
Site operator
PHP / Magento / Drupal

Need proof of what loads before consent?

Use CookieSentry to scan your live pages, catch early-firing cookies, and export evidence your privacy team or agency can use to remediate the issue.

Run a free scan →
Cookiesentry
About usFAQContactBlogCookies GuidePrivacyTermsEU Hosting

No cookies. No tracking. Analytics by EU-hosted Umami.

© 2025 CookieSentry. All rights reserved. Made with care for your privacy.