Cookie
A Cookie in the Salesforce context is a small key-value pair stored in a user browser by Salesforce, an Experience Cloud site, a Salesforce Sites page, or a Salesforce marketing product like Marketing Cloud Account Engagement or Marketing Cloud Engagement.
Definition
A Cookie in the Salesforce context is a small key-value pair stored in a user browser by Salesforce, an Experience Cloud site, a Salesforce Sites page, or a Salesforce marketing product like Marketing Cloud Account Engagement or Marketing Cloud Engagement. Cookies are how Salesforce maintains the user session across HTTP requests, identifies returning visitors on public-facing sites, remembers preferences, and tracks engagement for marketing analytics.
Cookie handling in Salesforce splits into two worlds. Essential cookies (session, auth, CSRF, load balancing) are required for the platform to work and ship enabled. Non-essential cookies (marketing tracking, analytics, personalization) are subject to privacy regulations like GDPR and CCPA and require user consent before they can be set. Salesforce ships the Cookie Consent component for Experience Cloud sites to handle that consent workflow.
How Salesforce uses cookies across the platform
Session and authentication cookies
The most important Salesforce cookie is sid, the session ID. It is set when a user authenticates and identifies the session on every subsequent request. The sid is HttpOnly and Secure-flagged in modern releases, so JavaScript cannot read it and it only travels over HTTPS. Other auth-adjacent cookies include OAuth state cookies, MFA challenge cookies, and CSRF tokens. These are all essential; the platform does not work without them.
BrowserId and instance routing
Salesforce sets a BrowserId cookie on every request, a long-lived UUID that survives logout. It is used for analytics, anti-fraud, and to route the user to the same Salesforce server instance for session affinity. The inst cookie identifies which Salesforce instance (NA, EU, AP, and others) the user belongs to and routes API and web requests accordingly.
Experience Cloud and Sites cookies
Experience Cloud sites set their own session cookies on the site domain. For sites with self-registration, additional cookies may track registration progress. Sites with login flows use OAuth or SAML cookies during authentication and then fall back to standard Salesforce sid behavior. Sites can also set custom cookies through Lightning components or Apex.
Marketing Cloud Account Engagement (Pardot) tracking
The visitor_id and pi_opt_in cookies are Marketing Cloud Account Engagement (Pardot) prospect tracking pair. visitor_id identifies a unique browser; pi_opt_in records the visitor opt-in status. These cookies are non-essential and require consent in jurisdictions with cookie laws. The Pardot tracking pixel and the LWC-based prospect tracking both set them.
Marketing Cloud Engagement tracking
Marketing Cloud Engagement (the email and journey product) uses _mcid (mc subscriber identifier) and _mcsd (subscription data) cookies to track journey progression and email engagement. Like Pardot cookies, these are non-essential and consent-gated.
Cookie Consent and CMP integration
Salesforce ships a Cookie Consent component for Experience Cloud and CMS sites that displays a banner, captures the user consent choices, and stores them in the CookieConsent standard object. The component supports Implicit and Explicit consent modes and integrates with third-party Consent Management Platforms (OneTrust, TrustArc, Cookiebot) through standard configuration.
Cookie expiration and SameSite behavior
Salesforce session cookies expire when the session ends. BrowserId and tracking cookies have longer expirations (typically 2 years). SameSite attributes default to Lax in modern releases, which prevents most cross-site request forgery while still allowing legitimate cross-site links. Salesforce occasionally tightens SameSite to Strict for sensitive cookies; check the release notes when troubleshooting cross-site cookie issues.
How to manage cookies in Salesforce
Most cookie management is automatic. The work falls into two areas: ensuring third-party cookie blocking does not break Salesforce, and setting up consent banners on Experience Cloud sites.
- Allowlist Salesforce domains in users browsers
For orgs that use Outlook Integration, Inbox, or any Salesforce-hosted iframe, IT should allowlist Salesforce domains (salesforce.com, force.com, lightning.force.com, visualforce.com, cloudforce.com) in browser cookie settings. Browsers that block third-party cookies can break these features.
- Configure My Domain for first-party cookie behavior
Setup, My Domain. Enable My Domain and use the my.salesforce.com subdomain for production. This routes cookies through a first-party domain, which is less likely to be blocked.
- Enable Cookie Consent for Experience Cloud sites
Setup, Cookie Consent. Configure the banner text, the categories of cookies (Essential, Functional, Analytics, Marketing), and the integration with your CMP if you have one. The component then ships on every Experience Cloud site page.
- Configure Marketing Cloud Account Engagement consent
In Marketing Cloud Account Engagement, enable the Cookie Consent feature and configure it to honor the user choice from the Experience Cloud banner. Pardot tracking cookies are set only after consent.
- Audit cookies on your sites
Use a cookie audit tool (OneTrust Cookie Audit, Cookiebot Scan, manual browser inspection) to enumerate every cookie set on your Experience Cloud or marketing pages. Document which are essential, which are functional, and which are marketing.
- Set up CCPA and GDPR compliance
Build the user-rights workflows (data export, data deletion) that go beyond cookie consent. These are typically Apex Flows triggered by a CookieConsent record creation or a Privacy Request record.
- Browsers blocking third-party cookies break Salesforce iframe integrations (Outlook, Gmail, Slack add-ins). Allowlist Salesforce domains to avoid silent failures.
- Marketing tracking cookies that fire before consent are a GDPR violation. Configure Pardot and MCE to honor consent before any tracking call.
- Salesforce session cookies are HttpOnly. JavaScript cannot read sid; do not write code that tries to access it.
- CookieConsent records grow rapidly on high-traffic sites. Build a retention policy or archive old consent records to keep storage costs manageable.
- Different jurisdictions have different consent requirements (EU strict consent, US opt-out, Brazil LGPD). One consent banner may not satisfy all regulations; configure per-site as needed.
Trust & references
Cross-checked against the following references.
- Cookie Consent in SalesforceSalesforce Help
- Cookies Used by SalesforceSalesforce Help
Straight from the source - Salesforce's reference material on Cookie.
- My Domain OverviewSalesforce Help
- Session SecuritySalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is a cookie?
Q2. Why are third-party cookies becoming more restricted?
Q3. What's a good practice for sensitive cookies?
Discussion
Loading discussion…