Cookies & storage

Client Side Cookies (JS SDK)

Name	Lifetime	Description	Is flag secure	Is flag SameSite	If deleted
_pcid	13 months by default, can be configured	Visitor ID	✅	SameSite=lax	New cookie set, new visitor ID assigned
_pctx	13 months by default, can be configured	Piano context storage	✅	SameSite=lax	No persistence of contextual information between Piano SDKs
_pprv	13 months by default, can be configured	Consent Mode persistence	✅	SameSite=lax	No persistence of Consent Mode, window.pdl.consent.defaultPreset.PA configuration assigned
pa_user	13 months by default, can be configured	Stored user information	✅	SameSite=lax	No persistence of user information information in events

Before 6.8.0

Name	Lifetime	Description	Is flag secure	Is flag SameSite	If deleted
pa_vid	13 months by default, can be configured	Visitor ID	✅	SameSite=lax	New cookie set, new visitor ID assigned
pa_user	13 months by default, can be configured	Stored user information	✅	SameSite=lax	No persistence of user information information in events
pa_privacy	13 months by default, can be configured	Privacy Mode persistence	✅	SameSite=lax	No persistence of Privacy Mode, privacyDefaultMode configuration assigned

_pcid format

The _pcid cookie may trigger OWASP security rules due to its structure: it contains a JSON object with special characters (quotes, colons, pipes) that are URL-encoded, which can be flagged by security scanners.

The cookie value is URL-encoded and follows this pattern:

%7B%22browserId%22%3A%22mg0j6i6ct4vxgjb9%22%2C%22_t%22%3A%22mwj35h8y%7Cmgum2u4y%22%7D

When URL-decoded and formatted, the cookie contains a JSON object:

{
  "browserId": "mg0j6i6ct4vxgjb9",  // Unique visitor identifier (random alphanumeric value)
  "_t": "mwj35h8y|mgum2u4y"         // Encoded timestamp for cookie duration manipulation
}

This cookie uses a JSON structure to allow end-users to easily retrieve their identifier for GDPR compliance purposes. Storing this data in a cookie allows it to naturally expire after the configured lifetime (13 months by default).

Server Side Cookies

Name	Lifetime	Description	Secure flag	SameSite flag	HTTPOnly flag	If deleted
idrxvr	13 months	Legacy Server Side Visitor ID	❌	❌	✅	New cookie set, new visitor ID assigned
atidx	13 months	Server Side Visitor ID	✅	❌	✅	New cookie set, new visitor ID assigned
atid	13 months	Main Server Side Visitor ID	✅	SameSite=none	✅	New cookie set, new visitor ID assigned

Piano Analytics Mobile SDKs

Android

Storage key	Lifetime	Description
pa_vid	13 months by default, can be configured	Visitor ID
pa_uid	13 months by default, can be configured	Stored user information
pa_privacy	13 months by default, can be configured	Privacy Mode persistence
pa_crash	Until app relaunch	Crash information
pa_lifecycle	No expiration	Application lifecycle

Apple

Storage key	Lifetime	Description
pa_vid	13 months by default, can be configured	Visitor ID
pa_uid	13 months by default, can be configured	Stored user information
pa_privacy	13 months by default, can be configured	Privacy Mode persistence
pa_crash	Until app relaunch	Crash information
pa_lifecycle	No expiration	Application lifecycle

Piano Cookies

This page covers the Piano Analytics cookies, you can also find the cookies used for the other Piano products here

Legacy cookie management

If you're migrating from SmartTag SDKs to Piano Analytics SDKs, we still use the atuserid cookie (visitor identification) so as not to cause a break in the detection of the visitor. As soon as this atuserid cookie is deleted, we replace it with _pcid cookie. Same applies to pa_vid (legacy value of PA SDK visitor cookie ID).

The atauthority cookie (Privacy) is not used anymore. Please implement Consent methods to deposit the new _pprv cookie instead (or Privacy methods if your use mobile SDKs).

Same applies for legacy atidvisitor cookie ("identified visitor" detection, now "user"). Please implement Users methods to deposit the new pa_user cookie instead.