We set a small number of cookies to keep the dashboard signed in and to remember user preferences. The SDK does not set cookies on the candidate's host page — it persists its event queue in IndexedDB instead.
Essential
better-auth.session_token— authenticated session cookie. 30-day expiry.better-auth.session_data— signed session metadata (user id + active org).__Host-csrf— CSRF mitigation for mutation endpoints.
Functional
proctor.theme— light/dark preference. Stored locally; no server-side tracking.proctor.last_org— last-selected organisation for users with multiple memberships.
Analytics
We do not set analytics cookies. Server-side logging captures anonymised request metadata for debugging + capacity planning.
Your controls
You can clear all Proctor cookies from your browser's settings at any time. Doing so signs you out of the dashboard; the SDK's IndexedDB queue is unaffected.
This page lists cookies we expect to set once auth hardening (task #47) is complete. The cookie banner that gates analytics cookies lands in the same phase.