magento2: Cookie mage-messages does not respect cookie configuration settings

Preconditions (*)

  1. version 2.4.3

Steps to reproduce (*)

  1. Load any page of the website
  2. View the mage-messages cookie in the browsers developer tools Application panel and observe the Expires, Path, and Domain and compare to the admin configuration

Expected result (*)

  1. The configuration would match

Actual result (*)

  1. The configuration does not match

Notes about this issue

The configuration values for lifetime and path are not respected.

The configuration values for domain are not used when setting the mage-messages cookie.

Effects of this bug

Configure the cookie domain to not have a subdomain (ie. .example.com) but load the site with a subdomain (ie. www.example.com). Because the cookie doesn’t respect the configuration for domain the browser sets the cookie with the subdomain (ie. www.example.com). If the site uses a secondary subdomain (ie. blog.example.com) the cookie will not persist as it was set only for www.example.com.

Configuration

Configuration Path: Stores -> Configuration -> General -> Web -> Default Cookie Settings:

Scope: Default Config

  • Cookie Lifetime: 3600
  • Cookie Path: empty
  • Cookie Domain: empty
  • Use HTTP Only: Yes
  • Cookie Restriction Mode: No

Scope: Main Website

  • Cookie Lifetime: 604800
  • Cookie Path: empty
  • Cookie Domain: .example.com
  • Use HTTP Only: Yes
  • Cookie Restriction Mode: No

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

About this issue

Commits related to this issue

Most upvoted comments

I was able to get a Magento instance and test this.

In my tests below you can see that there are some cookies that respect the configuration and some that do not. In my testing it seems that only the Cookie Domain setting is an issue. I did some tests with the Cookie Lifetime and Cooke Path fields and found them to work for the cookies I was paying attention to. Though the expiration isn’t the same for all cookies, so maybe that has issues as well?

Issues I was able to create:

  • Duplicate cookies (one with leading . and one without). Confirmed on the frontend, did not test in the admin.
  • Cookies in the admin are using the **Main Website configuration as opposed to the Default Config
  • Only some cookies respect the configuration for the Cookie Domain setting
    • The last comment from @engcom-November shows this as well in that the frontend was configured to use a leading . but it was stated that the cookie did not have a leading .
  • Not all cookies have the same expiration, which implies they are not respecting the Cookie Lifetime configuration

Scope: Default Config image

Scope: Main Website image

Cleared all caches image

I then deleted all of the cookies from the admin and logged back in.

In the admin the cookie domain has the leading . (period). Based on the configuration I wouldn’t expect that to b set as it was only set for the Main Website. image

On the frontend, I deleted all my cookies and reloaded the page. I then added a product to the cart. Notice how the cookie domain doesn’t match across all of the cookies. Some have the leading . (period) and others don’t. image

Also notice that there are two form_key cookies. One with the leading . and one without.

I did confirm that the expires date for mages-messages does follow the configuration - despite my claim when opening this ticket. However I see other cookies don’t all have the same expiration. Maybe that is desired???

To really try and highlight this issue, I updated the Main Website configuration to add a leading TEST instead of a leading . to the Cookie Domain. image

After clearing the cache in the admin, and then the cookies on the frontend I reloaded the page and added a product to the cart (same testing steps as done above). Look at the differences here. The mage-messages cookie is sill here - but if it were respecting the configuration it wouldn’t show as the cookie domain with the leading TEST doesn’t match the URL. For that same reason, you’ll notice that the PHPSESSID cookie doesn’t show here. That cookie respected the configuration change and adds the leading TEST but that doesn’t match this domain and thus isn’t displayed here. You’ll also see the duplicate form_key cookie that I called out in the last test isn’t present - that one also respected the leading TEST set in the configuration.

image

This test clearly highlights that some cookies respect the configuration and some don’t.

+1
PromInc on Mar 6, 2022
Read more comments on GitHub
← magento2: Controller preference not working after setup:di:compile
magento2: Corrupt Merged CSS Files →