As per GDPR, users do not need to give consent for your application to use session cookies. This is because they fall under essential cookies and not tracking cookies:
"While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user."
#Information about our session cookies
sAccessToken: This is the session's access token which is used in each API call to verify that the user was authenticated and to get their user ID (when using cookie based authentication).
sRefreshToken: This is the session's refresh token which is used to get a new access (and refresh token) when the existing access token expires (when using cookie based authentication).
sFrontToken: Used to access a session's access token payload and user ID on the frontend without exposing the
sAntiCsrf: Used to prevent CSRF attacks.
st-last-access-token-update: Used by the frontend to know if a session exists, and when the access token has changed.
st-access-token: Used by the frontend to store the access token for header based authentication.
st-refresh-token: Used by the frontend to store the refresh token for header based authentication.