Skip to content

Fix Cookie Persistence for VTEX Domains and Cross-Subdomain Tracking #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rockwellll merged 6 commits into from
Nov 30, 2025
Merged

Fix Cookie Persistence for VTEX Domains and Cross-Subdomain Tracking #37

rockwellll merged 6 commits into from
Nov 30, 2025

Conversation

@rockwellll
Copy link
Collaborator

@rockwellll rockwellll commented Nov 30, 2025
edited by cursor bot
Loading

Problem

Session tracking was failing for orderPlaced events in VTEX domains due to several cookie configuration issues:

  1. Missing Subdomain Support: Cookies were only available on the exact domain they were set on (e.g., www.store.com), not shared across subdomains (e.g., secure.store.com, checkout.store.com)
  2. Missing SameSite Attribute: Modern browsers default to SameSite=Lax behavior, which causes cookies to be dropped during:
    • POST requests from external sites
    • Redirects from payment gateways (PayPal, credit card processors)
    • Cross-site navigations during checkout flow
  3. No Secure Flag: Missing security best practice for HTTPS connections
  4. Session-Only Cookies: Cookies expired when browser closed, losing tracking data for returning users
  5. Circular Dependency: Creating Page instance in Cookies.set() caused infinite loop because Page constructor creates UTM instance, which calls Cookies.set()

Changes

Cookie Attributes (src/models/cookies.js)

  • ✅ Added Secure flag for HTTPS connections
  • ✅ Added domain attribute with root domain calculation (e.g., .example.com, .storename.com.br)
  • ✅ Added SameSite=Lax to handle payment gateway redirects
  • ✅ Added max-age=315360000 (10 years) for persistent tracking
  • ✅ Graceful fallback when domain cannot be determined

Root Domain Logic (src/models/page.js)

  • ✅ New static method Page.getRootDomain(hostname) that:
    • Handles regular TLDs (.com, .net) → returns last 2 parts
    • Handles multi-part TLDs (.com.br, .co.uk) → returns last 3 parts
    • Handles VTEX domains (.vtexcommercestable.com.br)
    • Handles localhost and single-part domains without leading dot
    • Returns null for invalid/missing URLs
  • ✅ Updated page.domain getter to use static method
  • ✅ Updated page.url getter to preserve empty strings instead of falling back to window.location.href

Tests

  • ✅ Added 13+ test cases for Page.getRootDomain() covering:
    • Regular and multi-part TLDs
    • VTEX-specific domains
    • Localhost and edge cases
    • Invalid/missing URLs
  • ✅ Added comprehensive cookie attribute tests covering:
    • Secure flag behavior (https vs http)
    • Domain attribute for different TLD types
    • SameSite attribute
    • max-age attribute
    • Complete cookie string format
  • ✅ Fixed jsdom cookie storage issues in tests with proper mocking

Impact

Before:

// Cookie set on secure.store.com.br
document.cookie = "hello_session=abc123; path=/"
// ❌ Not available on checkout.store.com.br
// ❌ Lost during payment gateway redirect
// ❌ Expires when browser closes

After:

// Cookie set on secure.store.com.br
document.cookie = "hello_session=abc123; path=/; Secure; domain=.store.com.br; max-age=315360000; SameSite=Lax"
// ✅ Available on checkout.store.com.br, www.store.com.br, etc.
// ✅ Persists through payment gateway redirects
// ✅ Persists for 10 years

VTEX-Specific Benefits

  • Session tracking now works across VTEX's multi-subdomain architecture
  • Order tracking (orderPlaced events) persists through checkout flow
  • UTM parameters maintained from catalog → checkout → confirmation
  • Compatible with VTEX's vtexcommercestable.com.br domains

Breaking Changes

None. Changes are backward-compatible and only enhance cookie behavior.

Note

Adds Secure, SameSite=Lax, max-age, and domain to cookies using a new Page.getRootDomain utility; updates URL handling and adds comprehensive tests.

  • Models:
    • Cookies: Cookies.set now sets Secure (HTTPS), SameSite=Lax, max-age=315360000, and domain (via Page.getRootDomain); falls back when domain unavailable.
    • Page:
      • Adds static getRootDomain(hostname) to resolve root domains (regular, multi-part TLDs, VTEX/myvtex/myshopify/wixsite, localhost/single-part).
      • New domain getter using getRootDomain.
      • url getter preserves explicit empty/undefined instead of always falling back to window.location.href.
  • Tests:
    • Extensive tests for Page.getRootDomain and Page.domain across TLD and platform cases.
    • Cookie attribute tests: Secure flag, domain resolution, SameSite, max-age, and full cookie string formatting.
  • Build:
    • Compiled outputs (dist/hellotext.js, lib/models/*) updated to reflect changes.

Written by Cursor Bugbot for commit 14c405c. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Nov 30, 2025
View reviewed changes
@rockwellll rockwellll merged commit 1ae5b52 into main Nov 30, 2025
3 checks passed
@rockwellll rockwellll deleted the cookies branch November 30, 2025 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rockwellll