About cookies & GDPR

I understand Ghost (self hosted) sets no persistent cookies, but what about session cookies? I read a post just now, whilst I was doing a search before posting. It said Ghost’s session cookies last up to 6 months? Surely this is a persistent cookie and not a session cookie. Session cookies have no expiration date, that’s why they’re deleted when the browser closes. So, is it a session cookie or is it a persistent cookie? Because it can’t be both.

Session has 2 meanings - browsing session and application session. From my understanding, Ghost’s session cookies are application cookies that are strictly required for the functionality of the site.

What made you think Ghost sets no persistent cookies?

Perhaps this should be made clear within the documentation. It’s kind of difficult to write up a privacy policy under GDPR, without knowing which cookies you need to declare. I’ve just seen this post and this reply, by @John. This seems to explain that it falls under the ‘Strictly necessary’ cookie exemption. But it still doesn’t answer the question as to whether it is a session cookie or a persistent cookie. Granted, I know it’s persistent because if I close my browser and come back to Ghost I am still logged in. But some clarity would be nice. I didn’t realise there were different session cookie types.

It’s not so much there’s multiple types of session cookies, it’s that the term “session” can be used in multiple contexts

As you mentioned, if the cookie exists after restarting the browser, it’s a persistent cookie; the cookies Ghost uses for member and staff auth are persistent