The Mendix app sets two cookies. XASID and XASSESSIONID. The first is used in scenarios with load-balancers. The second is used to identify a unique user session.
The cookies are both session cookies and aren't persistent (there is no Max-Age set for them).
Sessions are (usually, and in the case of Mendix) stored via cookies. Because HTTP is stateless, the server needs some way of uniquely identifying a browser request. Cookies are used for this. In the case of Mendix, via an "XASSESSIONID" cookie.
You can easily view/verify this by checking your browser cookies when you're logged in to a Mendix app.
Currently I also see a Mendix cookie test. Why is it in there and how do you remove it?
Also why does Mendix use a _Ga cookie that is valid for 2 years