Each visitor gets a xf_session cookie. With the login you also get a xf_user cookie. When you disable the xf_session cookie after login, the xf_user cookie lets you still browsing the community as a logged in member. What are the purposes of the xf_session cookies? I found these: guest personalized settings like "disable this information" the login pages - I guess as well as the register pages - only work with this cookie The xf_session cookie is always used on all pages regardeless whether the user is logged in (uses the xf_user cookie) or even logged in within the admin area (the xf_admin cookie is used here). Why is the xf_session cookie not removed when a user logs in? As a sidenote: The xf_user cookie lets you browse the community pages without the xf_session cookie. The xf_admin cookie only works with the xf_session cookie.