Session Management and Validation Settings in Magento Configuration

Cookie and session management is an important aspect of any ecommerce store. Everything from a customer’s cart, checkout process and recently viewed products is made possible by knowing who is using the website. This is where cookies come into play.

The Session Cookie Management options specify how and where cookies are set and used in your Magento store.

The Session Validation Settings ensure the safety of the information stored in sessions by checking known information gathered from previous visits by a customer matches the current information.

Session Cookie Management

• Cookie Lifetime is the time a cookie will remain ‘alive’ if the customer returns to the website within this timescale (in seconds) their cart/checkout/details will have been stored. If the cookie expires that information is no longer available to the customer
• Cookie Path will usually just need a forward slash “/”, that means the cookie will be available across the domain and nto be limited to a specific directory.
• The Cookie Domain will usually be your domain name preceded by a dot, and excluding the “www”. This means the cookie will be available on all sub domains
• Use HTTP Only should usually be set to ‘yes’, this means that the cookie will remain active as the user switches between http:// and https://. If this is set to ‘no’ you will experience the customer’s cart emptying as they switch between non-SSL and SSL versions of the site, which is usually when clicking through through to the checkout.
• Cookie Restriction Mode will notify your visitors that cookies are required for full-featured operations. It relates specifically to EU cookie directive.

Session Validation Settings

• Validate REMOTE_ADDR checks that the customer’s public IP address is the same
• Validate HTTP_VIA verifies that the proxy address of an incoming request matches what is stored
• Validate HTTP_X_FORWARDED_FOR checks that the forwarded-for address of a request matches what was stored previously.
• Validate HTTP_USER_AGENT checks that the browser/device matches previous visits.
• Use SID on Frontend adds a ID to the end of URLs that allows Magento to recognise visitors as they pass between domains set-up on the one Magento install.