What cookies are created by the Matomo JavaScript Tracking client?
Matomo creates cookies and similar tools (we’ll refer to them jointly as ‘cookies’) to track visitor interactions on your website. There are default and optional cookies that collect visitor statistics and ensure accurate data. Default cookies can be disabled and optional cookies are only created when using specific Matomo features.
The default Matomo Tracking code uses first-party cookies set on your website’s domain and then stored in your visitors’ browsers. The tracking data is linked directly to your site and not shared with any third parties.
It is important to comply with the data privacy regulations relevant to your jurisdiction and business model. If the GDPR and ePrivacy requirements in the EU apply to your website, your visitors must be informed and, where required, provide consent for use of website analytics. Certain configurations of Matomo may be used without consent for analytics purposes (refer to the ePrivacy and National Implementations guide). Additionally, you may consider cookieless tracking to help align with privacy requirements.
Default Cookies
To track users on your website or app, the default Matomo tracking JavaScript code creates first-party cookies with a default expiration.
You can adjust how long these cookies store visitor information by changing the expiration settings in the JavaScript tracking code, which is useful to customise the duration based on your privacy needs or data retention policies.
The following table details the purpose and default expiration of the first-party cookies created by Matomo. When the cookies expire, they are automatically removed from the visitors’ browsers. For further clarification, refer to the Usage details below for more information about each cookie.
| Name | Purpose | Type | Usage | Default Expiry |
|---|---|---|---|---|
| _pk_id | Stores a unique visitor ID. | Cookie | First-party website analytics | 13 months |
| _pk_ses | Session cookie temporarily stores data for the visit. | Cookie | First-party website analytics | 30 minutes |
| _pk_ref | Stores attribution information (the referrer that brought the visitor to the website). | Cookie | First-party website analytics | 6 months |
| _pk_testcookie | Temporary cookie to check if a visitor’s browser supports cookies (set in Internet Explorer only). | Cookie | First-party website analytics | Temporary cookie that expires almost immediately after being set. |
Optional Cookies
Setting Optional cookies only occurs when using a specific Matomo feature (e.g., Heatmaps, A/B testing, or consent management. For further clarification, refer to the Usage details below for more information about each cookie.
| Name | Purpose | Type | Usage | Default Expiry |
|---|---|---|---|---|
| matomo_sessid | A nonce to help prevent CSRF security issues when using the opt-out feature. | Strictly necessary or essential cookie | Security feature | 14 days |
| mtm_consent_removed | Indicates that a visitor opted out of Matomo tracking. | Strictly necessary or essential cookie | Opt-out management | 30 years but may be removed earlier depending on browser rules (see Usage details). |
| mtm_cookie_consent | Records the visitor’s consents to Matomo tracking. | Strictly necessary or essential cookie | Consent management | 30 years but may be removed earlier depending on browser rules or may be configured with a shorter expiry period (see Usage details). |
| _pk_hsr | Session cookie temporarily stores Heatmap session data when using the Matomo Heatmap feature. | Cookie | First-party website analytics (Heatmaps feature) | 30 minutes |
| _pk_uid | If enabled, this cookie assigns the same ID to a visitor navigating across all your domains and subdomains, so Matomo can recognise users across devices and sessions. It is only used when enabling third party cookies in Matomo’s config file. | Cookie | Optional third-party cookie (not enabled by default) | 13 months |
| MatomoAbTesting | Stores information for Matomo A/B Testing using local storage. | Local storage object | First party website analytics (A/B testing feature) | No expiry (persists until it is explicitly deleted by the visitor or application). |
Usage Details
_pk_id
Contains the unique visitor ID to recognise new and returning visitors to build up a Visitor Profile that includes a summary of their interactions on the site, number of visits, timestamp of first and last visit. It also includes interactions related to eCommerce orders, goals and conversions, and attribution across sessions.
_pk_ses
Used to link actions performed during the session (e.g., page views, downloads, events) to a unique visit, thereby allowing Matomo to accurately attribute these actions to a single session.
_pk_ref
The attribution data includes how a visitor initially arrived at the site, whether they came from a search engine, a social media link, an external website, or a campaign URL. Consequently, this information helps Matomo attribute visits to specific traffic sources.
_pk_cvar
Stores custom variables in key-value pairs to define additional metadata about the visitor or their actions during a session; it could be any custom data you want to track. Because this is a session-based cookie, it only applies to the current visit.
_pk_testcookie
This a temporary cookie, specifically set in Internet Explorer to check if a visitor’s browser supports cookies.
matomo_sessid
When using the opt-out feature, this nonce sets and prevents CSRF security issues. Moreover, it does not contain any data that identifies visitors and only maintains session information, which is often set if Matomo is configured to work with a specific session-based feature.
mtm_consent_removed
For consent management, this optional cookie is placed when a visitor opts out of being tracked. It is only applicable when you are using your own cookie consent implementation or a consent manager (CMP) tool, or if using a consent-exempt configuration of Matomo and you need to configure the opt-out feature on your website.
If Matomo is setup on a different domain than the website being tracked, the matomo_consent_removed cookie will be a first-party cookie. This cookie does not contain personal information or any ID and its value is the same for all visitors. Although the default expiry of this cookie is 30 years, some browsers delete this cookie if the visitor has not visited your website in 7 days (Safari), 45 days (Firefox) or 400 days (Chrome) (as of the date of this policy, 24 October 2024).
Note that these time frames may be subject to change. You may want to inform irregular visitors to your websites who wish to opt-out of analytics to check the setting when they visit. Otherwise, the opt-out might not be recognised by their browser.
mtm_cookie_consent
When utilising a consent manager (CMP) to request consent, the cookie stores the visitor’s consent status for tracking purposes and recognises the user gave consent. The cookie’s expiry may be subject to the same earlier deletion as with mtm_consent_removed (refer above). You can define a shorter expiry period for your user consent by calling: _paq.push([‘rememberConsentGiven’, optionallyExpireConsentInHours]). Learn more in the Tracking and Cookie Consent developer guide.
_pk_hsr
This cookie is placed when using Matomo’s Heatmap and Session Recording features. It temporarily stores data to determine which areas of a webpage visitors interact with most. Furthermore, it captures the session recording process, including the start, continuation, and end of each session. This approach ensures that all data is accurately linked to a specific visit, providing a clear view of user interactions.
_pk_uid
By default, Matomo uses only first-party cookies, so when these visitors navigate between multiple domains, the domains will not share the same cookies, and each domain treats the visitor as new. If you enable this cookie to assign the same ID to a visitor navigating across all your domains and subdomains, Matomo will recognise users across devices and sessions, which can be particularly useful to understand the behaviour of logged-in users, such as for eCommerce websites or membership platforms.
MatomoAbTesting
Unlike cookies, MatomoAbTesting (previously MatomoAbTesting) stores data directly in the browser’s local storage. As a result, users consistently see the same version of a webpage (e.g., variation A or B) and they remain in the same testing group across different sessions, even if they close and reopen the browser.