...
Whenever a client successfully logs into the SP with a supported protocol, a cookie specific to that user's session is set and used to associate the rest of that session's requests back to the user's login information. The cookie itself contains an opaque, pseudo-random value and no other information. It is a session-bounded cookie, although in many browsers today, session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Session Recovery
An optional feature, off by default, exists to preserve session and limited attribute state on the client to allow sessions to migrate between servers. The data is encrypted under a key held by the SP servers and can be rotated regularly. Access to the key would allow complete recovery of possibly sensitive PII from the cookie. It is a session-bounded cookie, although in many browsers today, session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Relay State
When a client interacts with a protected resource and a request is generated for an IdP, the resource that the client requested MAY be stored in a session cookie with a pseudo-random name. No personal information is included. In recent versions, the use of a cookie for this purpose is no longer the default, but it may be re-enabled and is found in many older configurations. It is a session-bounded cookie, although in many browsers today session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
...