How does Craft use Cookies?

This article lists the default cookies Craft CMS uses and provides some context into what they’re used for.

PHP Session #

Craft relies on PHP sessions to maintain sessions across web requests. That is done via the PHP session cookie. Craft names that cookie “CraftSessionId” by default, but it can be renamed via the phpSessionName config setting. This cookie will expire as soon as the session expires.

Control Panel Authentication #

When you log into the control panel, you’ll get an authentication cookie used to maintain your authenticated state. The cookie name is prefixed with a long, randomly generated string, followed by _identity. The cookie only stores information necessary to maintain a secure, authenticated session and will only exist for as long as the user is authenticated in Craft.


If the enableCsrfProtection and enableCsrfCookie config settings are enabled, then a cookie named CRAFT_CSRF_TOKEN will be created to facilitate CSRF protection. It can be changed via the csrfTokenName config setting and will expire as soon as the PHP session expires.

Remembering Username on Login Duration #

If the rememberUsernameDuration config setting is set to anything besides 0, a cookie will be created with a name that is prefixed with a long, randomly generated string, followed by _username. That cookie will exist for the given duration to remember the username on the login form.

Craft Cookies and GDPR #

For GDPR purposes, please note that Craft’s default cookies do not collect any personal or sensitive information. Craft’s default cookies do not collect IP addresses. The information they store is not sent to Pixel & Tonic or any third parties.

Craft’s default cookies are only used to communicate with your Craft installation for the purposes of user authentication, form validation/security, and basic web application operations.

Applies to Craft CMS 3.