To track users on your website(s) or app(s), the default Matomo Tracking code in JavaScript uses 1st party cookies, which are set on the domain of your website.

Cookies created by Matomo start with:

  • _pk_ref
  • _pk_cvar
  • _pk_id
  • _pk_ses
  • mtm_consent, mtm_consent_removed and mtm_cookie_consent: when you’re asking your users for consent
  • matomo_ignore, when you exclude yourself from being tracked (opt-out) using the cookie method or using the iframe opt-out method. (Note: when Matomo is setup on a different domain than the website being tracked, the matomo_ignore cookie will be a third party cookie. This cookie does not contain personal information or any ID and the cookie value is the same for all visitors)
  • matomo_sessid, when you use the opt-out feature (this is called a nonce and helps prevent CSRF security issues)
  • _pk_hsr, when you use the Heatmap or Session Recording)

You can also choose to Disable all first party cookies from being set, for example for privacy reasons.

Matomo by default does not use third party cookies but you can enable a third party _pk_uid cookie if you wish.

Learn more about What data does Matomo track?.

Default expiration times

The cookies described above will eventually expire and be removed from your users’ browsers.

  • _pk_id – 13 months (used to store a few details about the user such as the unique visitor ID)
  • _pk_ref – 6 months (used to store the attribution information, the referrer initially used to visit the website)
  • _pk_ses, _pk_cvar, _pk_hsr – 30 minutes (short lived cookies used to temporarily store data for the visit)
  • _pk_testcookie is created and should be then directly deleted (used to check whether the visitor’s browser supports cookies)
  • mtm_consent (or mtm_consent_removed) are created with an expiry date of 30 years to remember that consent was given (or removed) by the user. It is possible to define a shorter expiry period for your user consent by calling: _paq.push([‘rememberConsentGiven’, optionallyExpireConsentInHours]). Learn more in the Asking for consent developer guide.
  • mtm_cookie_consent is created with an expiry date of 30 years to remember that consent for storing and using cookies was given by the user. It is possible to define a shorter expiry period for your user cookie consent by calling: _paq.push(['rememberCookieConsentGiven', optionallyExpireConsentInHours]);. Learn more in the Asking for consent developer guide.
  • matomo_ignore – 30 years
  • matomo_sessid – 14 days (It is important to note that it doesn’t contain any data used to identify visitors and is considered an “Essential” cookie)

The default expiration times listed above can be modified via JavaScript. Learn more about setting custom expiration times.