Magento 2 Cookies: Configure, Comply, and Optimize

What Are Magento 2 Cookies?

Magento 2 cookies = small data files stored in a visitor's browser that manage sessions, security tokens, and personalization. They keep carts intact, remember store preferences, and enable analytics tracking.

Perfect for: Store owners configuring privacy compliance, developers customizing cookie behavior, merchants targeting EU/UK/California customers.

Not ideal for: Stores with zero third-party integrations that only use server-side sessions.

Magento 2 relies on cookies for core operations. The PHPSESSID cookie tracks user sessions. The form_key cookie prevents cross-site request forgery (CSRF) attacks. The store cookie remembers which store view a customer selected.

Beyond core functionality, cookies support analytics and marketing tools like Google Analytics 4 and advertising pixels. Third-party extensions often introduce their own cookies for tracking, A/B testing, and personalization.

Adobe Commerce and Magento Open Source classify cookies into exempt (required for operations) and non-exempt (marketing, analytics) categories. This classification forms the foundation of cookie restriction mode and GDPR compliance.

2 Types of Cookies in Magento 2

1. Session Cookies

Session cookies are temporary. Magento 2 uses them to manage login status, form submissions, and shopping cart contents during a single browsing session.

These cookies expire the moment the browser closes. They handle real-time operations like CSRF protection (form_key), session tracking (PHPSESSID), and customer section data (section_data_ids).

Session cookies are classified as exempt. They do not require user consent because the store cannot function without them.

2. Persistent Cookies

Persistent cookies remain on the device after the browser session ends. Magento 2 uses them to remember store view selections, wishlist items, and products viewed on past visits across multiple sessions.

These cookies have defined expiry dates based on your store configuration. The persistent_shopping_cart cookie restores cart contents for returning visitors. Language and currency preferences also persist through these cookies.

Persistent cookies that track behavior or enable marketing functions fall into the non-exempt category and require user consent under GDPR and similar regulations.

Default Magento 2 Cookies Reference

Magento 2 sets over 30 cookies by default. Here are the most important ones:

Adobe Commerce adds product recommendation cookies (dataservices_customer_id, dataservices_cart_id) for personalized suggestions.

Critical: Never disable exempt cookies. The store will malfunction without PHPSESSID, form_key, and section_data_ids.

For the complete list of all default cookies, see the official Adobe Commerce documentation.

7 Steps to Configure Cookies in Magento 2

1. Log in to the Magento 2 Admin Panel.

2. Navigate to Stores > Settings > Configuration.

3. Under General, expand the Web section.

4. Open the Default Cookie Settings subsection and configure:

• Cookie Lifetime: Duration in seconds. Default is 3600 (1 hour). Set to 0 for browser-session-only expiry.
• Cookie Path: Use / to make cookies accessible site-wide.
• Cookie Domain: Enter your domain with a period prefix (.yourdomain.com) for subdomain access.
• Use HTTP Only: Set to Yes. This prevents JavaScript from reading cookies, which reduces XSS attack risk.
• Cookie Restriction Mode: Set to Yes to display the consent banner and block non-essential cookies.

5. Click Save Config.

6. Go to System > Tools > Cache Management and click Flush Magento Cache.

7. Verify your storefront displays the cookie consent banner (if restriction mode is enabled).

Cookie Restriction Mode and GDPR Compliance

Cookie restriction mode is the native Magento 2 mechanism for GDPR compliance. When enabled, the store displays a notification bar that links to your privacy policy and includes an "Allow Cookies" button.

How it works:

1. A first-time visitor sees the cookie consent banner.
2. Non-exempt cookies (analytics, marketing) are blocked until the visitor clicks "Allow."
3. The user_allowed_save_cookie cookie records the consent decision.
4. The banner disappears after consent is granted.

What restriction mode does NOT cover:

• Granular consent categories (essential, analytics, marketing). Use a third-party extension for this.
• CCPA (California Consumer Privacy Act) opt-out mechanisms.
• ePrivacy Directive cookie wall requirements for specific EU member states.
• Consent logging and audit trails required by some regulators.

For stores targeting multiple regions, consider extensions from Amasty, Magefan, or Mirasvit that offer granular consent panels, GeoIP detection, and consent logging.

SameSite Cookie Attribute

Modern browsers enforce the SameSite attribute on cookies. Since version 2.4.2, all Magento core cookies support the SameSite attribute. Browsers default to SameSite=Lax, which prevents cookies from being sent on cross-site requests. This protects against CSRF attacks but can cause issues with third-party payment gateways that redirect customers back to your store.

If your checkout breaks after a payment redirect, check whether the payment provider requires SameSite=None; Secure for their cookies.

Google Consent Mode v2 for Magento 2

Google Consent Mode v2 became mandatory in March 2024 for stores running Google Ads or Google Analytics in the European Economic Area (EEA) and UK. Without it, Google limits ad personalization and conversion tracking for these regions. Since July 2025, Google enforces this requirement. Non-compliant stores lose personalized ads, remarketing, and conversion tracking for EEA/UK visitors.

What Consent Mode v2 Does

Consent Mode v2 adjusts how Google Tag Manager fires tags based on user consent status. It introduces two new consent signals:

Implementation Options

Extension-based (recommended): Amasty Cookie Consent, Magefan Cookie Consent, WeltPixel Consent Mode v2, or Meetanshi Google Consent Mode all support Consent Mode v2 with GTM integration.

Manual GTM implementation: Configure consent defaults in your GTM container and update them based on your cookie consent banner's JavaScript callbacks. This requires custom development.

Key requirement: Your consent management platform must send the correct consent signals to Google Tag Manager before any Google tags fire.

6 Steps to Edit the Cookie Policy Page

1. Navigate to Content > Elements > Pages in the Admin Panel.

2. Locate and click Edit on the Privacy Policy page.

3. Choose the relevant Store View and confirm Status = Enabled.

4. Under the Content tab, update the policy text. List every cookie your store sets, its purpose, and its duration.

5. On Page in Websites, assign the appropriate store views.

6. Click Save and verify the policy displays on your storefront.

Update your policy whenever you add new extensions, analytics tools, or marketing integrations. Each can introduce cookies that your policy must disclose.

5 Advanced Cookie Management Strategies

1. GeoIP-Based Consent Management

Use GeoIP detection to show consent banners only to visitors from regions that require them. EU visitors get a full GDPR consent panel. US visitors see a simpler CCPA notice. Visitors from unregulated regions see no banner at all.

Several Magento 2 extensions integrate GeoIP services to automate this. The approach improves user experience for visitors who do not need a consent prompt while maintaining compliance for those who do.

2. Custom Cookie Grouping

Categorize cookies into groups: essential, analytics, marketing, and preferences. Let users accept or reject each category through a customizable consent panel.

This granular approach satisfies GDPR requirements for specific consent and gives users real control. Extensions like Amasty GDPR and Mirasvit GDPR support custom cookie grouping with category-level toggles.

3. Performance Optimization of Consent Solutions

Cookie consent scripts can delay page rendering if loaded synchronously. Load consent banners asynchronously to prevent them from blocking core Magento resources and page speed.

Cache consent decisions in the browser to avoid repeated DOM manipulation. Test consent banner impact on Core Web Vitals, especial Largest Contentful Paint (LCP) and Cumulative Layout Shift (CLS).

4. Multi-Language Cookie Banners

Use Magento 2's multi-store and multi-language capabilities to deliver cookie notices in the visitor's local language. Configure separate consent messages per store view.

Most third-party GDPR extensions include language packs or support custom translations. This ensures all visitors understand the legal messages regardless of their browser language.

5. Accessibility for Cookie Notices

Cookie consent banners must be accessible to all users, including those using screen readers or keyboard navigation. Follow WCAG (Web Content Accessibility Guidelines) standards:

• Proper color contrast ratios for banner text and buttons.
• All interactive elements operable by keyboard (Tab, Enter, Escape).
• ARIA labels on consent buttons for screen reader support.

Test banners with Lighthouse or WAVE accessibility tools to identify and fix issues.

Troubleshooting Common Cookie Issues

Cookie Consent Banner Not Appearing

Check: Is Cookie Restriction Mode set to Yes in Stores > Configuration > General > Web > Default Cookie Settings?

Check: Clear all caches after changing the setting. Full Page Cache and Block HTML Cache both affect banner display.

Check: Custom themes may override the default cookie notification template. Inspect Magento_Cookie::html/notices.phtml in your theme.

Changes Not Taking Effect

Flush Magento Cache and browser cache after every cookie configuration change. Some settings require a full reindex. If using Varnish, purge the Varnish cache as well.

Third-Party Extension Conflicts

Extensions that modify JavaScript loading order can interfere with cookie consent scripts. Disable extensions one by one to isolate the conflict. Check browser console for JavaScript errors related to Magento_Cookie or consent scripts.

Google Analytics Not Tracking After Consent Mode

Verify that your GTM container fires tags only after consent signals update. Check the GTM debug panel for consent state transitions. Confirm that analytics_storage changes from denied to granted after user consent.

Checkout Issues After SameSite Changes

Payment gateways that redirect to external domains may fail if SameSite=Lax blocks the return cookie. Contact your payment provider for guidance on SameSite=None; Secure configuration.

Pros and Cons of Native Cookie Restriction Mode

FAQ

1. What is the default cookie lifetime in Magento 2?

The default cookie lifetime is 3600 seconds (1 hour). You can change this in Stores > Configuration > General > Web > Default Cookie Settings. Set it to 0 to expire cookies when the browser closes.

2. Does Magento 2 support GDPR compliance out of the box?

Magento 2 provides cookie restriction mode, which displays a consent banner and blocks non-essential cookies. However, it does not include granular consent categories, consent logging, or GeoIP detection. Full GDPR compliance requires a third-party extension.

3. Is Google Consent Mode v2 mandatory for my store?

If you run Google Ads or Google Analytics and target customers in the EEA or UK, yes. Since March 2024, Google requires Consent Mode v2 for personalized advertising and full analytics functionality in these regions.

4. How do I test if cookie consent works on my store?

Open your store in an incognito browser window to simulate a first-time visit. Check that non-essential cookies are not set before you click the consent button. Use browser developer tools (Application > Cookies) to verify which cookies exist before and after granting consent.

5. Can I configure different cookie settings per store view?

Yes. Magento 2 allows cookie configuration at the store view level. This is useful for multi-regional stores that need different consent mechanisms for EU, US, and other markets.

6. What happens if I disable essential cookies?

The store will malfunction. Session tracking, CSRF protection, and cart functionality all depend on essential cookies like PHPSESSID and form_key. Never disable exempt cookies.

7. How often should I audit the cookies on my store?

Audit cookies quarterly and whenever you add new extensions, analytics tools, or marketing integrations. Use browser developer tools or compliance platforms like Cookiebot or OneTrust to identify all cookies your store sets.

8. How does the SameSite attribute affect my Magento store?

Magento 2.4.x sets SameSite=Lax by default. This prevents cross-site request forgery but can break payment gateways that use cross-domain redirects. If checkout fails after payment, check your payment provider's SameSite requirements.

9. What is the difference between cookie restriction mode and a full CMP?

Cookie restriction mode is a simple allow/deny toggle built into Magento. A Consent Management Platform (CMP) offers granular category-level consent, consent logging, GeoIP detection, and integration with Google Consent Mode v2.

10. Do I need cookie consent for US-only stores?

While GDPR applies to EU visitors, the CCPA and other US state privacy laws also regulate cookie usage. California, Virginia, Colorado, and Connecticut all have privacy laws that may require some form of cookie disclosure or opt-out mechanism.

Summary

Magento 2 cookies manage sessions, personalization, and security across your store. Proper configuration balances user experience with privacy compliance.

The core steps: enable cookie restriction mode for consent banners, set HTTP Only to Yes for security, implement Google Consent Mode v2 for EEA/UK compliance, and audit cookies quarterly to catch undisclosed third-party cookies.

For stores that need server-level cookie security, HTTP header hardening, and guaranteed uptime during compliance audits, managed Magento hosting handles the infrastructure so you can focus on configuration and policy.