Cookie law compliance
Cookies are small files that are saved to the computer of each visitor to your site, and used as temporary holding places for information. Information that is saved in cookies is used to personalize the shopping experience, link visitors to their shopping carts, measure traffic patterns, and improve the effectiveness of promotions. To keep pace with legislation in many countries regarding the use of cookies, Adobe Commerce and Magento Open Source offer merchants a choice of methods to obtain customer consent. For a list of the default cookies in Adobe Commerce and Magento Open Source, the Cookie Reference.
Cookie restriction mode
When cookie restriction mode is enabled, visitors to your store are notified that cookies are required for full-featured operations. Depending on your theme, the message might appear above the header, below the footer, or somewhere else on the page. The message links to your privacy policy for more information, and encourages visitors to click the Allow button to grant consent. After consent is granted, the message disappears.
Your privacy policy) should include the name of your store and contact information, and explain the purpose of each cookie that is used by your store. To learn more, see Cookie Reference.
404 Page Not Found.
Step 1: Enable cookie restriction mode
-
On the Admin sidebar, go to Stores > Settings > Configuration.
-
In the left navigation panel under General, choose Web.
-
Expand the Default Cookie Settings section and do the following:
-
Enter the Cookie Lifetime in seconds.
-
If you want to make cookies available to other folders, enter the Cookie Path. To make the cookies available anywhere in the site, enter a forward slash (
/). This value can contain only the cookie path, and cannot contain any other cookie parameters. -
To make the cookies available to a subdomain, enter the subdomain name in the Cookie Domain field (
subdomain.yourdomain.com). To make cookies available to all subdomains, enter the domain name preceded by a period (.yourdomain.com). This value can contain only the cookie domain, and cannot contain any other cookie parameters. -
To prevent scripting languages, such as JavaScript, from gaining access to cookies, make sure that Use HTTP Only is set to
Yes. -
Set Cookie Restriction Mode to
Yes.If necessary, clear the checkbox and click OK to confirm scope switching.
-
-
When complete, click Save Config.
-
When prompted to update the cache, click the Cache Management link in the system message and refresh each invalid cache.
Step 2: Update your privacy policy
Update your privacy policy so that it reflects the information that your company collects and how it is used.
Default cookies
The default cookies in Adobe Commerce and Magento Open Source are classified as Exempt/Non-Exempt to help merchants meet the requirements of privacy regulations such as the GDPR. Merchants should use this information as a guide, and consult with legal advisors to update their Privacy and Cookie Policies as part of a comprehensive privacy regulation compliance strategy.
The following cookies are used by Commerce “out of the box” for on-premise and cloud installations. These cookies may be required by functionality that is explicitly requested by the customer. To learn more about the lifetime of session cookies, see Session Lifetime.
Some of these cookies may provide configuration options, including enable/disable, as needed.
Requested functionality cookies (exempt)
add_to_cart
guest-view
Links a guest order to a guest (because there is no account for guest).
login_redirect
Saves redirect URL to route user if successful login and user registration. Saves the page that a user was on prior to log in (to determine the location they will go back to after they log in).
mage-banners-cache-storage
mage-messages
Tracks error messages and other notifications that are shown to the user, such as the cookie consent message, and various error messages. The message is deleted from the cookie after it is shown to the shopper. There is not an option to disable this cookie. This is how one-time information is communicated to the user, such as error messages.
product_data_storage (local storage)
Stores configuration for product data used to use “Recently Viewed” and “Compare Products” functions. Stores a user’s specific settings (for example, if they have recently viewed a product or compared products).
recently_compared_product (local storage)
Stores product IDs of recently compared products.
recently_compared_product_previous (local storage)
Stores product IDs of previously compared products for easy navigation.
recently_viewed_product (local storage)
Stores product IDs of recently viewed products for easy navigation.
recently_viewed_product_previous (local storage)
Stores product IDs of recently viewed products for easy navigation.
remove_from_cart
stf
Records the time messages are sent by the SendFriend (Email a Friend) module. When a shopper sends a link to a product, this cookie records a time-stamp and maintains a count.
X-Magento-Vary
Indicates when a new version of a page needs to be served from the cache. Supports website performance.
form_key
A security mechanism that holds a randomly generated value to prevent Cross Site Request Forgery attacks (CSRF) by helping determine whether a request came from a genuine source or a bad actor. This is an industry-standard practice to prevent CSRF attacks.
mage-cache-sessid
Useful in determining when to clean local storage in the browser after session expiry. This is used to determine if local storage has to be cleaned. The absence of this cookie triggers local storage cleanup.
mage-cache-storage
Local storage of visitor-specific content that enables e-commerce functions. Unused by default, but when it is used, it’s used to expedite checkout so that basic user information is available when someone leaves and returns.
mage-cache-storage-section-invalidation
Stores information related to which sections of the page need to be invalidated and removed.
persistent_shopping_cart
Stores the key ID of a persistent cart to make it possible to restore the cart for an anonymous shopper.
private_content_version
Appends a random, unique number and time to pages with customer content to prevent them from being cached on the server. It is set in multiple places: in PHP, in JavaScript as a cookie, and in JavaScript to local storage.
section_data_ids
Stores customer-specific information related to shopper-initiated actions, such as wish list display and checkout information.
store
Tracks the specific store view/locale selected by the shopper.
mage-banners-cache-storage
PHPSESSID
Tracks user sessions on the storefront. This is the shoppers who use the end-products.
admin
Tracks user sessions on the Admin side.
loggedOutReasonCode
Set when an Admin user is locked out after a certain number of unsuccessful password attempts.
section_data_clean
Set when a user switches store view. The presence of this cookie triggers JavaScript to reload certain sections on the page to reflect the correct store view.
lang
Set indirectly by the Admin Analytics module. Being used only in an administrative area of a store. Not applicable to shoppers.
s_fid
Set indirectly by the Admin Analytics module. Fallback unique visitor ID time/date stamp. It is used to identify a unique visitor if the standard s_vi cookie is unavailable due to third-party cookie restrictions. Being used only in an administrative area of a store. Not applicable to shoppers.
s_cc
Set indirectly by the Admin Analytics module. It is set and read by the JavaScript code to determine if cookies are enabled. Being used only in an administrative area of a store. Not applicable to shoppers.
apt.sid
Set by the Gainsight PX library indirectly used by the Admin Analytics module. The purpose of this cookie is to allow persistent session ID tracking under the top-level domain of the product and is used as a reference ID to the active session. Being used only in an administrative area of a store. Not applicable to shoppers.
apt.uid
Set by the Gainsight PX library indirectly used by the Admin Analytics module. The purpose of this cookie is to allow persistent ID tracking under the top-level domain of the product and is used as a reference ID to the user entity. Being used only in an administrative area of a store. Not applicable to shoppers.
s_sq
Set indirectly by the Admin Analytics module. Used by the ClickMap feature that collects data on where visitors click and what they click. Stores information from each click. Being used only in an administrative area of a store. Not applicable to shoppers.
pagebuilder_modal_dismissed
Set by the Page Builder Module. Contains a flag that prevents subsequent prompts asking an admin to confirm a certain action from opening if the admin explicitly dismissed them before. Being used only in an administrative area of a store. Not applicable to shoppers.
pagebuilder_template_apply_confirm
Set by the Page Builder Module. Contains a flag that prevents subsequent prompts asking an admin to confirm a certain action from opening if the admin explicitly dismissed them before. Being used only in an administrative area of a store. Not applicable to shoppers.
accordion-{VARIABLE}-{VARIABLE}
Being used as a part of tabs functionality implementation only in an administrative area of a store. Not applicable to shoppers.
Product Recommendations cookies
mg_dnt: Allows you to restrict Adobe Commerce data collection if you have custom code to manage cookie consent on your site.user_allowed_save_cookie: Used for cookie restriction mode.authentication_flag: Indicates if a shopper has signed in or signed out. This cookie is updated at the same time as thedataservices_customer_idcookie.dataservices_customer_id: Indicates if a shopper has signed in or signed out. This cookie contains the customer’s unique ID in the system.dataservices_customer_group: Indicates a customer’s group. This cookie is stored as sha1 checksum of the customer’s group ID.dataservices_cart_id: Identifies a shopper’s cart actions. This cookie contains the customer’s unique cart ID in the system.dataservices_product_context: Identifies a shopper’s product interactions. This cookie contains the customer’s unique quote ID in the system.
Additional cookies
mg: Set by Snowplow JavaScript tracker. More information can be found in the Snowplow documentation.com.adobe.alloy.getTld: Given the current web page’s hostname, this is the top-most domain that is not a “public suffix” as outlined in https://publicsuffix.org. Essentially, this is the top-most domain that can accept cookies. This cookie is part of the Alloy Web SDK.