...
When a client interacts with a protected resource and a request is generated for an IdP, the resource that the client requested MAY be stored in a session cookie with a pseudo-random name. No personal information is included. In recent versions, the use of a cookie for this purpose is no longer the default, but it may be re-enabled and is found in many older configurations. It is a session-bounded cookie, although in many browsers today session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Message Correlation 3.1
A cookie is used to record request identifiers in order to support enforcing response correlation and blocking of unsolicited responses. It is a session-bounded cookie, although in many browsers today session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
Form POST State
An optional feature, off by default, exists to preserve form submission data to a protected location if the SP has to interrupt the submission with a request to an IdP. If enabled, the data itself is stored on the server, but a pseudo-random key to identify it is stored in a cookie. No personal information is included in the cookie itself. It is a session-bounded cookie, although in many browsers today, session cookies may never be deleted under ordinary usage. However, the cookie values are erased under ordinary usage by the SP itself.
...