Magento 2 Default Cookies
The following cookies are used by Magento Commerce. These cookies may be required by functionality that is explicitly requested by the customer. To learn about the lifetime of session cookies, see Session Lifetime.
Some of these cookies may provide configuration options, including enable/disable, as needed.
Requested Functionality Cookies (Exempt)
add_to_cartMagento Commerce only
Used by Google Tag Manager. Captures the product SKU, name, price and quantity removed from the cart, and makes the information available for future integration by third-party scripts.
guest-view
Stores the Order ID that guest shoppers use to retrieve their order status. Guest orders view. Used in “Orders and Returns” widgets.
- Is Secure? No
- HTTP Only: Yes
- Expiration Policy: Session
- Module: Magento_Sales
login_redirect
Preserves the destination page the customer was loading before being directed to log in. Used in mini cart for logged in customers if the Display Shopping Cart Sidebar configuration option is set to Yes.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Session
- Module: Magento_Customer
mage-banners-cache-storageMagento Commerce only
Stores banner content locally to improve performance.
mage-messages
Tracks error messages and other notifications that are shown to the user, such as the cookie consent message, and various error messages. The message is deleted from the cookie after it is shown to the shopper.
There is not an option to disable this cookie.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Duration 1 year. Cleared on frontend when the message is displayed to the user.
- Module: Magento_Theme
mage-translation-storage (local storage)
Stores translated content when requested by the shopper. Used when Translation Strategy is configured as “Dictionary (Translation on Storefront side)”.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Translation
mage-translation-file-version (local storage)
Tracks the version of translations in local storage. Used when Translation Strategy is configured as Dictionary (Translation on Storefront side).
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Translation
product_data_storage (local storage)
Stores configuration for product data related to Recently Viewed / Compared Products.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Catalog
recently_compared_product (local storage)
Stores product IDs of recently compared products.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Catalog
recently_compared_product_previous (local storage)
Stores product IDs of previously compared products for easy navigation.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Catalog
recently_viewed_product (local storage)
Stores product IDs of recently viewed products for easy navigation.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Catalog
recently_viewed_product_previous (local storage)
Stores product IDs of recently previously viewed products for easy navigation.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Catalog
remove_from_cartMagento Commerce only
Used by Google Tag Manager. Captures the product SKU, name, price and quantity added to the cart, and makes the information available for future integration by third-party scripts.
stf
Records the time messages are sent by the SendFriend (Email a Friend) module.
- Is Secure? Yes
- HTTP Only: Yes
- Expiration Policy: Session
- Module: Magento_SendFriend
X-Magento-Vary
Configuration setting that improves performance when using Varnish static content caching.
- Is Secure? Yes
- HTTP Only: Yes
- Expiration Policy: Based on PHP setting session.cookie_lifetime
- Module: Magento_PageCache
Persistent Customization Session Cookies (Exempt)
amz_auth_err
Used if Enable Login with Amazon is enabled. Value 1 indicates an authorization error.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: 1 year
- Module: Amazon Pay
amz_auth_logout
Used if Enable Login with Amazon is enabled. Value 1 indicates that the user should be logged out.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: 86400s (24h)
- Module: Amazon Pay
form_key
A security measure that appends a random string to all form submissions to protect the data from Cross-Site Request Forgery (CSRF).
- Is Secure? No
- HTTP Only: No
- Expiration Policy:
- PHP: Based on PHP setting session.cookie_lifetime
- JS: Session
- Module: Page Cache
mage-cache-sessid
The value of this cookie triggers the cleanup of local cache storage. When the cookie is removed by the backend application, the Admin cleans up local storage, and sets the cookie value to true.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Session
- Module: Magento_Customer
mage-cache-storage
Local storage of visitor-specific content that enables ecommerce functions.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Session
- Module: Magento_Customer, Magento_Persistent
mage-cache-storage (local storage)
Local storage of visitor-specific content that enables ecommerce functions.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Session
- Module: Magento_Customer, Magento_Persistent, Magento_NegotiableQuote
mage-cache-storage-section-invalidation (local storage)
Forces local storage of specific content sections that should be invalidated.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage
- Module: Magento_Customer
persistent_shopping_cart
Stores the key (ID) of persistent cart to make it possible to restore the cart for an anonymous shopper.
- Is Secure? Yes
- HTTP Only: Yes
- Expiration Policy: Based on Persistent Shopping Cart - Persistence Lifetime (seconds) configuration
- Module: Magento_Persistent
private_content_version
Appends a random, unique number and time to pages with customer content to prevent them from being cached on the server.
It is set in multiple places: in PHP, in JavaScript as a cookie, and in JavaScript to local storage.
For the HTTP Only Yes (based on request) means that the cookie Secure if set during HTTPS request and unsecure if set during HTTP request.
- Is Secure? Yes (based on request), No
- HTTP Only: No
- Expiration Policy: Based on Persistent Shopping Cart - Persistence Lifetime (seconds) configuration
- PHP: 1 year / 315360000s (10yr)
- JS: 1 day
- JS local storage: Per local storage rules (forever)
- Module: Magento_PageCache, Magento_Customer
section_data_ids
Stores customer-specific information related to shopper-initiated actions such as display wish list, checkout information, etc.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Session
- Module: Magento_Customer
store
Tracks the specific store view / locale selected by the shopper.
- Is Secure? No
- HTTP Only: Yes
- Expiration Policy: 1 year
- Module: Magento_Store
mage-banners-cache-storage - local storageMagento Commerce only
Local storage for Banner functionality.
- Is Secure? No
- HTTP Only: No
- Expiration Policy: Per local storage rules
- Module: Magento_Banner
Google Analytics Cookies
The following cookies are used when Google Analytics or Google Universal Analytics is fully enabled for your Magento installation. To disable these cookies for privacy regulation compliance, see Google Privacy Settings. To learn more, see Google Analytics Cookie Usage on Websites.
Google Universal Analytics Cookies - Non-ExemptMagento Commerce only
JavaScript Libraries: gtag.js and analytics.js
- _ga: Distinguishes visitors to your site.
- _gid: Distinguishes visitors to your site.
- gat: Used to throttle request rate.
- dc_gtm_<property-id>: Throttles request rate when Google Analytics is deployed with Google Tag Manager.
- AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values include opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
- _gac_<property-id>: Contains campaign-related information for the user. Google AdWords conversion tags read this cookie if Google Analytics is linked to your AdWords account.
Google Analytics Cookies - Non-ExemptMagento Open Source only
JavaScript Library: ga.js
- __utma: Distinguishes shoppers and sessions .This cookie is created when the JavaScript library executes and there is no existing __utma cookie. The cookie is updated every time data is sent to Google Analytics.
- __utmt: Used to throttle request rate.
- __utmb: Determines new sessions/visits. This cookie is created when the JavaScript library executes and there is no existing __utmb cookie. The cookie is updated every time data is sent to Google Analytics.
- _utmz: Saves the traffic source or campaign that explains how the shopper reached your site. The cookie is created when the JavaScript library executes, and is updated every time data is sent to Google Analytics.
- __utmv: Stores visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor-level custom variable. This cookie is updated every time data is sent to Google Analytics.
Optimize - cookie usage
Cookie Name |
Default expiration time |
Description |
_gaexp |
Depends on the length of the experiment, but typically 90 days. |
Used to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
_opt_awcid |
24 hours |
Used for campaigns mapped to Google Ads Customer IDs. |
_opt_awmid |
24 hours |
Used for campaigns mapped to Google Ads Campaign IDs. |
_opt_awgid |
24 hours |
Used for campaigns mapped to Google Ads Ad Group IDs |
_opt_awkid |
24 hours |
Used for campaigns mapped to Google Ads Criterion IDs |
_opt_utmc |
24 hours |
Stores the last utm_campaign query parameter. |
_opt_expid |
10 seconds |
This cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that's being redirected. |
Product Recommendations cookiesMagento Commerce only
The following cookies are used by Product Recommendations for Magento Commerce customers. These cookies are installed with the DataServices module.
- mg_dnt: Allows you to restrict Magento data collection if you have custom code to manage cookie consent on your site.
- user_allowed_save_cookie: Used for Magento’s cookie restriction mode.
- authentication_flag: Indicates if a shopper has signed in or signed out. This cookie is updated at the same time as the dataservices_customer_id cookie.
- dataservices_customer_id: Indicates if a shopper has signed in or signed out. This cookie does not contain the customer ID.
- dataservices_cart_id: Identifies a shopper’s cart actions.
- dataservices_product_context: Identifies a shopper’s product interactions.
Cookies set by the Hotjar script
Name |
Description |
Duration |
Data type |
_hjClosedSurveyInvites |
Hotjar cookie that is set once a visitor interacts with an External Link Survey invitation modal. It is used to ensure that the same invite does not reappear if it has already been shown. |
365 days |
Boolean true/false |
_hjDonePolls |
Hotjar cookie that is set once a visitor completes a survey using the On-site Survey widget. It is used to ensure that the same survey does not reappear if it has already been filled in. |
365 days |
Boolean true/false |
_hjMinimizedPolls |
Hotjar cookie that is set once a visitor minimizes an On-site Survey widget. It is used to ensure that the widget stays minimized when the visitor navigates through your site. |
365 days |
Boolean true/false |
_hjShownFeedbackMessage |
Hotjar cookie that is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if the visitor navigates to another page where it is set to show. |
365 days |
Boolean true/false |
_hjid |
Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
365 days |
UUID |
_hjRecordingLastActivity |
This should be found in Session storage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records). |
Session |
Numerical Value (Timestamp) |
_hjTLDTest |
When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed. |
Session |
Boolean true/false |
_hjUserAttributesHash |
User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated. |
Session |
Hash |
_hjCachedUserAttributes |
This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool. |
Session |
JSON |
_hjLocalStorageTest |
This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created. |
Under 100ms |
Boolean true/false |
_hjIncludedInPageviewSample |
This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's pageview limit. |
30 minutes |
Boolean true/false |
_hjIncludedInSessionSample |
This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's daily session limit. |
30 minutes |
Boolean true/false |
_hjAbsoluteSessionInProgress |
This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie. |
30 Minutes |
Boolean true/false |
_hjFirstSeen |
This is set to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions. |
Session |
Boolean true/false |
hjViewportId |
This stores information about the user viewport such as size and dimensions. |
Session |
UUID |
_hjRecordingEnabled |
This is added when a Recording starts and is read when the recording module is initialized to see if the user is already in a recording in a particular session. |
Session |
Boolean true/false |
Microsoft/Bing
https://learn.microsoft.com/en-us/clarity/setup-and-installation/cookie-list
MUID
Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.
Meta/Facebook/Instagram
https://www.facebook.com/privacy/policies/cookies
Wisepops
https://support.wisepops.com/article/chyhkm9j7z-data-and-cookie-policy
Cookie |
Purpose |
wisepops Expiration: 2 years Necessary: Yes |
This is where we store various persistent data to make the experience of your visitors is in line with your targeting. Example: The campaigns the visitor has seen and converted, their A/B testing group, etc. |
wisepops_visits Expiration: 2 years Necessary: Yes |
Persistent cookie where the last 10 visits dates are stored. This is to resolve conditions such as "Display to the visitors who came 5 times in the last month". |
wisepops_props Expiration: 2 years Necessary: Yes |
This persistent cookie stores the custom properties across sessions. This is also a cookie for targeting resolution. For example: "Last purchase date is before 1 month ago". |
wisepops_noshow Expiration: 2 years Necessary: Yes |
Persistent cookie that disables Wisepops. This cookie is created when a visitor clicks "Don't show popups again". |
wisepops_session Expiration: Session Necessary: Yes |
Data is stored during the session and a maximum of 2 hours for targeting resolution. Example: The initial referrer, the UTM parameters of the first page of the visit, etc. |
viewedOuibounceModal Expiration: Session Necessary: Yes |
Technical session cookie used for exit-intent detection. |
wisepops_activity_session Expiration: Session Necessary: No |
Analytics identifier that allows us to provide reports of your campaign's performances. |