We have three cookies that are set for 20 years, but it appears the ePrivacy Directive says they should only last for one:
accepted_tos, set when accepting the TOS prompt while logged out
user_credentials, set when logging in as a regular user
admin_credentials, set when logged in as an admin
To test, you can use your browser's developer tools to check the expiration dates on these cookies. Exact instructions will vary by browser.