a cookie representing authentication session with your app isn't personal data, and doesn't need privacy policy, especially if your login is arbitrary and not an email.

It doesn't matter how long it's active either, unless you use it to track users activity elsewhere

If it's used to determine identity, it's a kind of personal data.

However, as you say, it might be allowed by GDPR without requesting extra approval, depending on the way that it's being used and who it is shared with?

Hence my question about whether the length of time that you store this data legally matters (because since databases can be stolen, it eventually does). Compare with how ISPs must store all your connection logs for a specific amount of time.

a session cookie establishing your authentication session only links you with the account in the system. Now, what other data is attached to that account is another thing. For example, the typical forum of yore would only have to take care of emails at best - if it doesn't have personal data, it's irrelevant, because you can't link that identity with your IRL identity.

Length of time you store the data doesn't matter, except in the sense where you can prove that effectively you do not store it at all - for example by anonymization of logs so that you do not effectively store IP addresses, even if of course they have to exist in full in the system at some point to keep the connection open.