Only tracking cookies require consent. Cookies could be about the last time you saw the website's weather content, in which case it's purely functional and need no consent.
Not all places in the world share the same set of laws or jurisprudence. What's allowed or required and what isn't is entirely dependent on the jurisdiction(s) the website operators are beholden to.
Are you sure of that ? I knew that the competent jurisprudence or "forum" is that of the user, or everyone could circumvent the law using "offshore" companies to track people in regulated countries (i.e. EU). I was reading here on HN that , for that reason ( avoid EU Regulation ) sites like New York Times, blocked the availability of their contents in whole EU.
I was checking, see here, for example:
https://reutersinstitute.politics.ox.ac.uk/news/many-eu-visi...
Insofar as what the jurisdictions the website operators are beholden to or perhaps care about have to say about it, but otherwise I (not a laywer) share your perspective.
Strictly necessary cookies do not have to be session cookies. If you read https://gdpr.eu/cookies/ it says they generally will be session cookies, not that they must be. If you think it is appropriate for your users to be already logged in the next time they run their web browser, using a persistent cookie for that is permitted.
Yes, they can become persistent once you get consent or other grounds. You probably get that consent in registration form and "recall" it on login. Otherwise you process data from across sessions, which is a huge red flag.