Magento 2 Default Cookies

The following cookies are used by Magento Commerce. These cookies may be required by functionality that is explicitly requested by the customer. To learn about the lifetime of session cookies, see Session Lifetime.

Some of these cookies may provide configuration options, including enable/disable, as needed.

Requested Functionality Cookies (Exempt)

add_to_cartMagento Commerce only

Used by Google Tag Manager. Captures the product SKU, name, price and quantity removed from the cart, and makes the information available for future integration by third-party scripts.

guest-view

Stores the Order ID that guest shoppers use to retrieve their order status. Guest orders view. Used in “Orders and Returns” widgets.

  • Is Secure? No
  • HTTP Only: Yes
  • Expiration Policy: Session
  • Module: Magento_Sales

login_redirect

Preserves the destination page the customer was loading before being directed to log in. Used in mini cart for logged in customers if the Display Shopping Cart Sidebar configuration option is set to Yes.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Session
  • Module: Magento_Customer

mage-banners-cache-storageMagento Commerce only

Stores banner content locally to improve performance.

mage-messages

Tracks error messages and other notifications that are shown to the user, such as the cookie consent message, and various error messages. The message is deleted from the cookie after it is shown to the shopper.

There is not an option to disable this cookie.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Duration 1 year. Cleared on frontend when the message is displayed to the user.
  • Module: Magento_Theme

mage-translation-storage (local storage)

Stores translated content when requested by the shopper. Used when Translation Strategy is configured as “Dictionary (Translation on Storefront side)”.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Translation

mage-translation-file-version (local storage)

Tracks the version of translations in local storage. Used when Translation Strategy is configured as Dictionary (Translation on Storefront side).

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Translation

product_data_storage (local storage)

Stores configuration for product data related to Recently Viewed / Compared Products.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Catalog

recently_compared_product (local storage)

Stores product IDs of recently compared products.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Catalog

recently_compared_product_previous (local storage)

Stores product IDs of previously compared products for easy navigation.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Catalog

recently_viewed_product (local storage)

Stores product IDs of recently viewed products for easy navigation.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Catalog

recently_viewed_product_previous (local storage)

Stores product IDs of recently previously viewed products for easy navigation.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Catalog

remove_from_cartMagento Commerce only

Used by Google Tag Manager. Captures the product SKU, name, price and quantity added to the cart, and makes the information available for future integration by third-party scripts.

stf

Records the time messages are sent by the SendFriend (Email a Friend) module.

  • Is Secure? Yes
  • HTTP Only: Yes
  • Expiration Policy: Session
  • Module: Magento_SendFriend

X-Magento-Vary

Configuration setting that improves performance when using Varnish static content caching.

  • Is Secure? Yes
  • HTTP Only: Yes
  • Expiration Policy: Based on PHP setting session.cookie_lifetime
  • Module: Magento_PageCache

Persistent Customization Session Cookies (Exempt)

amz_auth_err

Used if Enable Login with Amazon is enabled. Value 1 indicates an authorization error.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: 1 year
  • Module: Amazon Pay

amz_auth_logout

Used if Enable Login with Amazon is enabled. Value 1 indicates that the user should be logged out.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: 86400s (24h)
  • Module: Amazon Pay

form_key

A security measure that appends a random string to all form submissions to protect the data from Cross-Site Request Forgery (CSRF).

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy:
    • PHP: Based on PHP setting session.cookie_lifetime
    • JS: Session
  • Module: Page Cache

mage-cache-sessid

The value of this cookie triggers the cleanup of local cache storage. When the cookie is removed by the backend application, the Admin cleans up local storage, and sets the cookie value to true.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Session
  • Module: Magento_Customer

mage-cache-storage

Local storage of visitor-specific content that enables ecommerce functions.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Session
  • Module: Magento_Customer, Magento_Persistent

mage-cache-storage (local storage)

Local storage of visitor-specific content that enables ecommerce functions.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Session
  • Module: Magento_Customer, Magento_Persistent, Magento_NegotiableQuote

mage-cache-storage-section-invalidation (local storage)

Forces local storage of specific content sections that should be invalidated.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage
  • Module: Magento_Customer

persistent_shopping_cart

Stores the key (ID) of persistent cart to make it possible to restore the cart for an anonymous shopper.

  • Is Secure? Yes
  • HTTP Only: Yes
  • Expiration Policy: Based on Persistent Shopping Cart - Persistence Lifetime (seconds) configuration
  • Module: Magento_Persistent

private_content_version

Appends a random, unique number and time to pages with customer content to prevent them from being cached on the server.

It is set in multiple places: in PHP, in JavaScript as a cookie, and in JavaScript to local storage.

For the HTTP Only Yes (based on request) means that the cookie Secure if set during HTTPS request and unsecure if set during HTTP request.

  • Is Secure? Yes (based on request), No
  • HTTP Only: No
  • Expiration Policy: Based on Persistent Shopping Cart - Persistence Lifetime (seconds) configuration
    • PHP: 1 year / 315360000s (10yr)
    • JS: 1 day
    • JS local storage: Per local storage rules (forever)
  • Module: Magento_PageCache, Magento_Customer

section_data_ids

Stores customer-specific information related to shopper-initiated actions such as display wish list, checkout information, etc.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Session
  • Module: Magento_Customer

store

Tracks the specific store view / locale selected by the shopper.

  • Is Secure? No
  • HTTP Only: Yes
  • Expiration Policy: 1 year
  • Module: Magento_Store

mage-banners-cache-storage - local storageMagento Commerce only

Local storage for Banner functionality.

  • Is Secure? No
  • HTTP Only: No
  • Expiration Policy: Per local storage rules
  • Module: Magento_Banner

Google Analytics Cookies

The following cookies are used when Google Analytics or Google Universal Analytics is fully enabled for your Magento installation. To disable these cookies for privacy regulation compliance, see Google Privacy Settings. To learn more, see Google Analytics Cookie Usage on Websites.

Google Universal Analytics Cookies - Non-ExemptMagento Commerce only

JavaScript Libraries: gtag.js and analytics.js

  • _ga: Distinguishes visitors to your site.
  • _gid: Distinguishes visitors to your site.
  • gat: Used to throttle request rate.
  • dc_gtm_<property-id>: Throttles request rate when Google Analytics is deployed with Google Tag Manager.
  • AMP_TOKEN: Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values include opt-out, inflight request or an error retrieving a Client ID from  AMP Client ID service.
  • _gac_<property-id>: Contains campaign-related information for the user. Google AdWords conversion tags read this cookie if Google Analytics is linked to your AdWords account.

Google Analytics Cookies - Non-ExemptMagento Open Source only

JavaScript Library: ga.js

  • __utma: Distinguishes shoppers and sessions .This cookie is created when the JavaScript library executes and there is no existing __utma cookie. The cookie is updated every time data is sent to Google Analytics.
  • __utmt: Used to throttle request rate.
  • __utmb: Determines new sessions/visits. This cookie is created when the JavaScript library executes and there is no existing __utmb cookie. The cookie is updated every time data is sent to Google Analytics.
  • _utmz: Saves the traffic source or campaign that explains how the shopper reached your site. The cookie is created when the JavaScript library executes, and is updated every time data is sent to Google Analytics.
  • __utmv: Stores visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor-level custom variable. This cookie is updated every time data is sent to Google Analytics.

Optimize - cookie usage

 

Cookie Name

Default expiration time

Description

_gaexp

Depends on the length of the experiment, but typically 90 days.

Used to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

_opt_awcid

24 hours

Used for campaigns mapped to Google Ads Customer IDs.

_opt_awmid

24 hours

Used for campaigns mapped to Google Ads Campaign IDs.

_opt_awgid

24 hours

Used for campaigns mapped to Google Ads Ad Group IDs

_opt_awkid

24 hours

Used for campaigns mapped to Google Ads Criterion IDs

_opt_utmc

24 hours

Stores the last utm_campaign query parameter.

_opt_expid

10 seconds

This cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that's being redirected.

 

Product Recommendations cookiesMagento Commerce only

The following cookies are used by Product Recommendations for Magento Commerce customers. These cookies are installed with the DataServices module.

  • mg_dnt: Allows you to restrict Magento data collection if you have custom code to manage cookie consent on your site.
  • user_allowed_save_cookie: Used for Magento’s cookie restriction mode.
  • authentication_flag: Indicates if a shopper has signed in or signed out. This cookie is updated at the same time as the dataservices_customer_id cookie.
  • dataservices_customer_id: Indicates if a shopper has signed in or signed out. This cookie does not contain the customer ID.
  • dataservices_cart_id: Identifies a shopper’s cart actions.
  • dataservices_product_context: Identifies a shopper’s product interactions.

Cookies set by the Hotjar script 

Name

Description

Duration

Data type

_hjClosedSurveyInvites

Hotjar cookie that is set once a visitor interacts with an External Link Survey invitation modal. It is used to ensure that the same invite does not reappear if it has already been shown.

365 days

Boolean true/false

_hjDonePolls

Hotjar cookie that is set once a visitor completes a survey using the On-site Survey widget. It is used to ensure that the same survey does not reappear if it has already been filled in.

365 days

Boolean true/false

_hjMinimizedPolls

Hotjar cookie that is set once a visitor minimizes an On-site Survey widget. It is used to ensure that the widget stays minimized when the visitor navigates through your site.

365 days

Boolean true/false

_hjShownFeedbackMessage

Hotjar cookie that is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if the visitor navigates to another page where it is set to show.

365 days

Boolean true/false

_hjid

Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.

365 days

UUID

_hjRecordingLastActivity

This should be found in Session storage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records).

Session

Numerical Value (Timestamp)

_hjTLDTest

When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.

Session

Boolean true/false

_hjUserAttributesHash

User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated.

Session

Hash

_hjCachedUserAttributes

This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool.

Session

JSON

_hjLocalStorageTest

This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created.

Under 100ms

Boolean true/false

_hjIncludedInPageviewSample

This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's pageview limit.

30 minutes

Boolean true/false

_hjIncludedInSessionSample

This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's daily session limit.

30 minutes

Boolean true/false

_hjAbsoluteSessionInProgress

This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.

30 Minutes

Boolean true/false

_hjFirstSeen

This is set to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.

Session

Boolean true/false

hjViewportId

This stores information about the user viewport such as size and dimensions.

Session

UUID

_hjRecordingEnabled

This is added when a Recording starts and is read when the recording module is initialized to see if the user is already in a recording in a particular session.

Session

Boolean true/false





Microsoft/Bing

https://learn.microsoft.com/en-us/clarity/setup-and-installation/cookie-list

 

MUID

Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.




Meta/Facebook/Instagram

https://www.facebook.com/privacy/policies/cookies

Wisepops

https://support.wisepops.com/article/chyhkm9j7z-data-and-cookie-policy

 

Cookie

Purpose

wisepops

Expiration: 2 years

Necessary: Yes

This is where we store various persistent data to make the experience of your visitors is in line with your targeting.

Example: The campaigns the visitor has seen and converted, their A/B testing group, etc.

wisepops_visits

Expiration: 2 years

Necessary: Yes

Persistent cookie where the last 10 visits dates are stored.

This is to resolve conditions such as "Display to the visitors who came 5 times in the last month".

wisepops_props

Expiration: 2 years

Necessary: Yes

This persistent cookie stores the custom properties across sessions.

This is also a cookie for targeting resolution. For example: "Last purchase date is before 1 month ago".

wisepops_noshow

Expiration: 2 years

Necessary: Yes

Persistent cookie that disables Wisepops.

This cookie is created when a visitor clicks "Don't show popups again".

wisepops_session

Expiration: Session

Necessary: Yes

Data is stored during the session and a maximum of 2 hours for targeting resolution.

Example: The initial referrer, the UTM parameters of the first page of the visit, etc.

viewedOuibounceModal

Expiration: Session

Necessary: Yes

Technical session cookie used for exit-intent detection.

wisepops_activity_session

Expiration: Session

Necessary: No

Analytics identifier that allows us to provide reports of your campaign's performances.