How to Configure Magento 2 Cookies Lifetime, Policy, Restriction?

Although Magento 2 cookies may seem unimportant to users, they are essential for merchants. They help collect customers' personal data for marketing and analytics. But most importantly, they help maintain Magento GDPR compliance.

There are some basic Magento 2 cookie settings you can configure by default. They include Magento cookies policy, cookie lifetime, cookie consent bar, cookie restriction mode and others. 

This guide teaches you how to configure Magento cookies properly and how to make them compatible with Google Consent Mode v2. There are also details on how to set up the cookie consent bar and add new cookies to track in Magento.

Key takeaways
  • Magento 2 cookies are used to keep track of customer sessions, analyse their behaviour, and provide personalised web browsing.
  • Magento cookie settings allow merchants to set up cookie lifetime, domain, cookie restrictions, and consent.
  • Magento collects essential (session id, customer authentication, customer group, consent, etc.) and non-essential (_ga, _gat, _gid) cookies by default.
  • By default, Magento cookie restriction mode is not compatible with the Google Consent Mode. You need to integrate third-party extensions like Magefan Cookie Consent to add compatibility.

What Are Magento 2 Cookies?

Magento 2 cookies are small pieces of data that a website stores in the visitor's browser. The server (or JavaScript on the page) sets them, and the browser sends them back on each request, which lets the site recognise returning visitors and remember things like session ID and preferences.

Cookies are mostly used to create a personalised experience for customers and generate suggestions based on their previous steps. 

e.g., when a visitor enters your store, Magento creates a cookie in their browser. That cookie remembers the session ID and preferences. When the visitor returns next time, the browser sends that cookie back to Magento. This is how Magento recognises the user and restores their previous session.

However, cookies are essential for store owners as well. They help them maintain GDPR compliance and avoid legal vulnerabilities under global privacy laws.

Why Are Cookies Important for GDPR Compliance in Magento?

Due to the General Data Protection Regulation (GDPR), merchants must give EU customers full control over the data they allow stores to collect.

Besides collecting user consent, merchants must show clear cookie categories (e.g., essential, marketing, analytics, advertising, etc.) and allow customers to configure, accept, or delete collected data.

Moreover, in the Magento privacy policy, merchants need to provide a clear explanation of the store's cookie usage.

If those requirements are ignored, it can lead to legal and financial consequences.

magento cookie settings on frontend

Example of a Magento cookie consent list that visitors can review and customise when visiting the website (source: Magefan Cookie Consent)

How to Configure Magento 2 Cookies?

To configure cookies in Magento 2, go to Stores > Settings > Configuration > General > Web > Default Cookie Settings and follow these simple steps.

Step 1: Specify the Cookie Lifetime

This defines how long the cookies should be stored on the customer's computer. The default value is 3600 seconds (1 hour), but if you want the cookies to expire right after the customer leaves the browser, enter 0 in this field.

Step 2: Enter the Cookie Path

It controls which URL paths the cookie is valid for. If you want it to be valid on all the pages, use a slash (/) in this field.

Default cookie settings in Magento 2

Step 3: Add the Cookie Domain

If you would like to enable cookies for all the subdomains you are using, enter the corresponding domain here, preceded by the full stop, e.g. ".domain.com".

Step 4: Configure HTTP

Set Yes in the Use HTTP Only field to prevent JavaScript from accessing the cookie, which helps mitigate XSS-based theft.

Step 5: Enable Cookie Restriction Mode

Select Yes to enable cookie messages on the storefront. Then save the settings.

How to configure default cookie settings in Magento 2?

To edit the default cookie notice in Magento, you must edit a template file via a custom theme override since there is no admin option to edit the text or styles of the notice.

enable cookie restriction mode magento

Note: the default cookie bar text is very limited and offers only one option to Allow cookies. Use Magefan Cookie Consent Extension to enable other options like "Accept Selected" and "Reject All" and edit cookie notice directly from the admin.

Step 1: Find default template file

Find Magento cookie notice template via:

vendor/magento/module-cookie/view/frontend/templates/html/notices.phtml

Step 2: Create a custom theme override

Navigate to your custom theme directory

app/design/frontend/VendorName/ThemeName/.

and create the missing sub-directories:

Magento_Cookie/templates/html/

Then copy the notices.phtml file from the Magento directory and paste it into this new folder path:

design/frontend/VendorName/ThemeName/Magento_Cookie/templates/html/notices.phtml

Step 3: Edit the cookie notice text and HTML

Modify the cookie notice message inside the notices.phtml. Change the "Allow" button label and the "learn more" link destination (which leads to the privacy policy page by default). Save the file once you finish and clear Magento caches.

How to Create New Cookies in Magento?

To add more advertising or marketing cookies to Magento, you need the Magento 2 Cookie Consent extension by Magefan since the default Magento is limited to Google Analytics and Google Tag Manager cookies.

The extension allows you to enable cookie notice in Magento with groups and configuration options and create new cookies and cookie groups directly in the admin.

To add new cookies in Magento, go to Marketing > Magefan Cookie Consent > Cookies > Add new Cookie and fill in the required fields.

create cookie in magento

The Magento 2 cookie policy is a technical framework required to inform visitors about the data you collect and how that data is used. It is often presented as a separate privacy policy page that explains your cookies policy and a list of cookies you collect.

For GDPR compliance, the cookie policy needs to answer the following questions:

  • How do cookies work?
  • Why are cookies used on the website?
  • What types of cookies are used in Magento?
  • Are there any special or custom cookies?
  • What is the cookie lifetime set to?
  • Are there any third-party cookies used?
  • How is cookie consent collected and stored?
  • How can users manage, accept, or disable cookies?

However, the Magento cookie policy is not only about GDPR compliance. It's about building customers' trust by being transparent about their privacy.

To edit the cookie policy in Magento, go to Content > Elements > Pages, find the Privacy Policy page and start editing it.

Magento 2 CMS pages

Step 1: Enable the page if you haven't done it already. 

Step 2: Jump to the Content section and add the necessary changes. 

Edit privacy policy in Magento 2

Step 3: Choose the Store View where this page will be displayed in the Page in Websites section.

Pages in websites

Step 4: Press the Save button and check the privacy policy page on the storefront. This is how the privacy policy page will be displayed in your Magento store:

Storefront Magento privacy policy page

How to Update Magento "Enable Cookies" Page?

If you want to update the default Magento enable cookie page, you can do that via Magento CMS pages.

enable cookie magento

Note: privacy policy and enabling cookies pages are not the same thing. Magento privacy policy page is a legal document that informs users how your store collects, uses and protects their data.


The "Enable Cookies" page provides instructions on what cookies are and how to enable them in the user's browser (in case they have cookies disabled, which conflicts with core Magento functionality like adding items to cart or logging into an account.

Step 1: Go to Content > Elements > Pages and start editing the Enable Cookies page.

Magento 2 CMS pages grid

Step 2: Enable the page and edit the cookie message in the Content section.

Edit cookie message in Magento 2

Step 3: Choose Store View to display the enable cookie page and press the Save button once you finish.

Pages in websites Magento

Magento 2 cookie lifetime is the period of time that defines how long the cookies are stored in the browser after it's closed. The default cookie lifetime is 3600, which is about 1 hour. If you set the value to 0, the cookie will expire the moment users close the browser window.

Magento allows you to set a long (persistent) or short (session) cookie lifetime. Yet, there isn't any official recommendation regarding the ideal lifetime of either type.

Everything depends on your business model, customer behaviour, and security requirements.

Long cookie lifetime in Magento

Long cookie lifetime focuses on customers' convenience. It lets users return to the store without constant logins and logouts.

Pros and Cons
relevant
Maintains login sessions for a longer period
relevant
Remembers customer preferences and previous visits
relevant
Improves convenience for returning customers
relevant
Increases security risk if users forget to log out.
relevant
Keeps sessions active on shared devices.
relevant
May violate security requirements because of too-long sessions.

 

In a nutshell, a long session duration is a better choice for fashion stores, electronics retailers, lifestyle brands, etc., where merchants rely on repeated visits and longer purchasing decisions.

Short cookie lifetime

Short cookie lifetime in Magento focuses on security, thus making sessions expire faster. This approach is particularly useful for stores that handle sensitive data.

Pros and Cons
relevant
Limits how long stored session information remains active in the browser
relevant
Reduces security risks on shared or public devices by ending sessions sooner
relevant
Helps protect sensitive customer or store data
relevant
Helps to stay compliant
relevant
May log out customers too quickly
relevant
Can cause shopping carts to expire before customers finish checkout
relevant
Requires users to sign in more often

 

Therefore, a short cookie lifetime is recommended for stores that value security over convenience. It is especially important for B2B stores and wholesale platforms.

Once you figure out which lifetime option is better for your store, configure the Magento 2 cookie settings. 

Magento cookies settings are not compatible with the Google Consent Mode v2 by default. To stay compliant you should use Magefan GTM Extension or request your cookies service to add it. 

Let's review both options.

Magefan GTM Extension

Magefan Google Tag Manager for Magento provides compliance with Google Consent Mode v2 starting from v2.5.3. Thus, if you have the default Magento cookie popup, just make sure you also have a relevant GTM extension version. The same goes for the Google-authorized CMP Partners.

gdpr in magento google tag manager

Third-party Consent Services

In case you use some third-party consent extensions for Magento, reach out to your service providers to ensure their solution is compatible with Consent Mode v2.

It may also be that you implemented some custom solutions for GTM tracking and cookie consent. In this case, make sure your developers follow the Google Developer Guide to add the necessary changes as per the requirements.

Now you have clear steps to configure the Magento cookie settings and know how easy it actually is even with the Consent Mode v2 in mind.

However, proper configuration is only part of the process. You should also follow proven best cookie practices.

Magento cookie management doesn't come down to configuring cookie lifetime and enabling cookie restriction mode in the admin. To create a transparent and user-friendly shopping experience, you should follow the best practices.

Ask permission before you collect data

Request user consent before activating tracking or advertising cookies. That is, show a cookie consent banner right after users enter your store.

Provide three clear options to choose from: "Accept All Cookies", "Reject All Cookies", and "Accept Specific Cookies". This improves customer trust and helps maintain cookie law compliance.

Make your cookie banner clear and easy to understand

Inform your visitors about the exact data you collect. Avoid technical terms or difficult explanations to avoid confusion.

The "We collect cookies" message is not enough. Instead, write something like "We use cookies to save your cart content, improve site performance, and show you more relevant offers".

Keep your cookie policy up to date

Regularly check your cookie policy to reflect any changes in how your store manages data.

For example, if you start using a third-party tool that tracks user behaviour, mention it in your Magento cookie policy.

Review your cookies regularly

Monitor your cookies every 3-6 months to remove unnecessary or outdated ones. This reduces security risks and improves compliance.

Let customers manage their data from their account

For more convenience, allow your customers to manage their consent preferences without contacting support. Make it easy for them to export, update, or delete personal data right from their account page.

Besides managing customer privacy, you should also work on your store's security. After configuring cookies, enable Magento reCAPTCHA to add an extra layer of protection against spam or brute force attacks.

FAQs

collapsible icon
You can't configure the allowed countries in default Magento. To show the cookie banner to specific countries, use the Magefan Magento 2 Cookie Consent Extension.

Navigate to Stores > Configurations > Magefan Extensions > Cookie Consent > GeoIP Settings > Special Countries and choose the needed countries from the list.
collapsible icon
Magento doesn't have a strict maximum limit for cookie lifetime by default. Merchants are allowed to set the time in seconds, including very long durations, for example, 31536000 sec, which equals 1 year.

What are the native cookies Magento has?

collapsible icon
The list of default Magento cookies includes:

  • add_to_cart
  • guest-view
  • login_redirect
  • mage-banners-cache-storage
  • mage-messages
  • product_data_storage
  • recently_compared_product
  • recently_compared_product_previous
  • recently_viewed_product
  • recently_viewed_product_previous
  • remove_from_cart
  • stf
  • X-Magento-Vary
  • form_key
  • mage-cache-sessid
  • mage-cache-storage
  • mage-cache-storage-section-invalidation
  • mage-cache-timeout
  • persistent_shopping_cart
  • private_content_version
  • section_data_ids
  • store
  • PHPSESSID
  • admin
  • loggedOutReasonCode
  • section_data_clean
  • lang
  • s_fid
  • s_cc
  • apt.sid
  • apt.uid
  • s_sq
  • pagebuilder_modal_dismissed
  • pagebuilder_template_apply_confirm
  • accordion-{VARIABLE}-{VARIABLE}

How to show all 3rd party cookies my Magento store is using?

collapsible icon
There is no way to track 3rd-party cookies from Magento extensions and plugins by default. You need to use the Magefan Cookie Consent Extension that automatically tracks and logs all cookies your website uses.