Session depersonalization in Magento 2, why and how?

Most likely, at least once you faced the issue when customer session does not work except an account page etc. And usually, it’s not obvious why. Is it a bug? No, actually that is the case when it’s not a bug, it’s kind of feature.

Public and private content

Magento can distinguish between two types of content:

Public – public content is stored server-side in your reverse proxy cache storage;
Private – private content is stored client side and is specific to an individual customer.

There are the cacheable and non-cacheable pages. It’s pretty simple with non-cacheable pages. Such pages are not cacheable and can provide dynamically generated private content, unique for one user. The cacheable pages are being served by reverse proxies to more than one user. And it’s very important to avoid caching of the user-specific data on these pages.

Here is the cacheable page checklist:

The HTTP GET or HTTP HEAD request is used;
Pages render only cacheable blocks (there are no cacheable="false" attribute for any block in layout);
Pages render without sensitive private data, session and customer DTO objects are empty;
Model and block level should identify themselves for invalidation support.

Customer Session Depersonalization

Magento cleans the session storage for cacheable requests in order to avoid caching of customer private content. This indicates that we should not access the customer session data while processing the GET request intended to render the cacheable page. For example, when rendering the product view page, which is cacheable by default, if you try to check whether the customer is logged in, you will always receive false.

The responsibility to unset the private data lies on several depersonalization Magento 2 plugin classes. These plugins are applied to Magento\Customer\Model\Layout\DepersonalizePlugin::beforeGenerateXml method, as this is the most suitable entry point, considering all the necessary data is already available and the rendering process has not started yet. These depersonalized plugins implement two methods:

beforeGenerateXml – collects all the needed data, which should be kept for the further usage;
afterGenerateXml – unset the private customer data from the session DTO, set the specific previously saved data, which should be kept.

There is an additional “Depersonalized Checker” class which is intended to check if the session should be depersonalized. This class implements only one method, which is expected to be used for all depersonalized Magento 2 plugins. If you check the code you will see that in general, it performs the verification of “cacheable page checklist” described previously.

/**
 * Check if depersonalize or not
 *
 * @param \Magento\Framework\View\LayoutInterface $subject
 * @return bool
 * @api
 */
public function checkIfDepersonalize(\Magento\Framework\View\LayoutInterface $subject)
{
    return ($this->moduleManager->isEnabled('Magento_PageCache')
        && $this->cacheConfig->isEnabled()
        && !$this->request->isAjax()
        && ($this->request->isGet() || $this->request->isHead())
        && $subject->isCacheable());
}

Here is what it does:

Check if the FPC (Full Page Cache) module is enabled;
Check if the FPC cache type is enabled;
Check if the request is not AJAX;
Check if the HTTP GET or HTTP HEAD method is used for the request;
Check if the page is cacheable, by verifying if non-cacheable layout elements (blocks with cacheable="false" attribute) are existent on the page.

If all of the above conditions are true, the page is considered as cacheable.

The customer session is cleaned by \Magento\Customer\Model\Layout\DepersonalizePlugin. Let’s check the implementation of Magento 2 before plugin method beforeGenerateXml. It simply puts the necessary session data to the corresponding properties of the class, in order to keep this data after session storage cleanup.

/**
 * Before generate Xml
 *
 * @param \Magento\Framework\View\LayoutInterface $subject
 * @return array
 */
public function beforeGenerateXml(\Magento\Framework\View\LayoutInterface $subject)
{
    if ($this->depersonalizeChecker->checkIfDepersonalize($subject)) {
        $this->customerGroupId = $this->customerSession->getCustomerGroupId();
        $this->formKey = $this->session->getData(\Magento\Framework\Data\Form\FormKey::FORM_KEY);
    }
    return [];
}

As for the Magento 2 after plugin method afterGenerateXml, it unsets the visitor’s data and clears session storage. So the customer private data is not related to the current visitor and is not accessible anymore. Then it sets the previously saved data (customer group id and form key) as an exclusion for specific needs.

/**
 * After generate Xml
 *
 * @param \Magento\Framework\View\LayoutInterface $subject
 * @param \Magento\Framework\View\LayoutInterface $result
 * @return \Magento\Framework\View\LayoutInterface
 */
public function afterGenerateXml(\Magento\Framework\View\LayoutInterface $subject, $result)
{
    if ($this->depersonalizeChecker->checkIfDepersonalize($subject)) {
        $this->visitor->setSkipRequestLogging(true);
        $this->visitor->unsetData();
        $this->session->clearStorage();
        $this->customerSession->clearStorage();
        $this->session->setData(\Magento\Framework\Data\Form\FormKey::FORM_KEY, $this->formKey);
        $this->customerSession->setCustomerGroupId($this->customerGroupId);
        $this->customerSession->setCustomer($this->customerFactory->create()->setGroupId($this->customerGroupId));
    }
    return $result;
}

There are many other depersonalization plugins. Most of them are also used in order to clear particular session storage (e.g. Magento checkout session, Magento catalog session) or vice versa – to keep some specific data in session DTO:

Name	Class
catalog-session-depersonalize	Magento\Catalog\Model\Layout\DepersonalizePlugin
checkout-session-depersonalize	Magento\Checkout\Model\Layout\DepersonalizePlugin
core-session-depersonalize	Magento\PageCache\Model\Layout\DepersonalizePlugin
persistent-session-depersonalize	Magento\Persistent\Model\Layout\DepersonalizePlugin
tax-session-depersonalize	Magento\Tax\Model\Layout\DepersonalizePlugin
customer-session-depersonalize	Magento\Customer\Model\Layout\DepersonalizePlugin

Possible Solutions

So how to deal with customer private content for cacheable pages?

Someone recommends disabling Full Page Caching. However, this is not an option. You should never do it. This is critically important to avoid such solutions while implementing a custom feature.

The second one is to make the cacheable page to be non cacheable by using the cacheable="false" attribute for your block in layout. Which is good when your page consists of dynamic and private content entirely e.g. Shopping Cart, Account View, Order History pages. However, you should be careful when using this approach. If you add the cacheable="false" attribute to some block – all the pages where it’s used will be uncacheable. For example, if you add such block to the default handle of your layout update, you will make the whole website non-cacheable by full page cache, none of the pages will be cached.

And the highly recommended approach is a separate AJAX request performed in order to load the private content and update dynamic blocks e.g. minicart, wishlist (in sidebar), customer name (in header). Magento 2 provides a special JS component to simplify the work with a customer private content. More details can be found in the Private Content section of Magento 2 DevDocs.

Hope this information was interesting for you too. Thanks for reading!

Cookie	Duration	Description
__jid	1 day	Used to add comments to the website and remember the user's Disqus login credentials across websites that use said service.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
li_gc	2 years	Linkeding cookie that stores the user's cookie consent state for the current domain
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics cookie. Used to identify unique users and expires after two years
_gat	1 day	Used by Google Analytics to throttle request rate
_gid	24 hours	Google Analytics cookie. Used to identify user and expires in 24 hours.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar cookie. Used to detect the first pageview session of a user. 30 minutes duration. Boolean true/false data type.
_hjFirstSeen	User session	Hotjar cookie. Identifies a new user’s first session. Used by Recording filters to identify new user sessions. Session duration. Boolean true/false data type.
_hjIncludedInPageviewSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's pageview limit. 30 minutes duration. Boolean true/false data type.
_hjIncludedInSessionSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's daily session limit. 30 minutes duration. Boolean true/false data type.
_hjRecordingLastActivity	User session	Hotjar cookie. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes
_hjSession_2881021	30 minutes	Hotjar cookie. Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration. JSON data type.
_hjSessionRejected	User session	Hotjar cookie. If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Session duration. Boolean true/false data type.
_hjSessionUser_2881021	1 year	Hotjar cookie. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjTLDTest	User session	Hotjar cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory	29 days	Linkedin cookie. Used in connection with data-synchronization with third-party analysis service.
disqus_unique	1 year	Disqus cookie. Collects statistics related to the user's visits to the website, such as number of visits, average time spent on the website and loaded pages.
https://#.#/	User session	leadfeeder.com cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
juggler/event.gif	User session	Disqus cookie. Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.

Cookie	Duration	Description
aet-dismiss	User session	Disqus cookie. Necessary for the functionality of the website's comments system
drafts.queue		Disqus cookie. Necessary for the functionality of the website's comments system
lang		Linkedin cookie. Remembers the user's selected language version of a website
submitted_posts_cache	User session	Disqus cookie. Necessary for the functionality of the website's comments system

Cookie	Duration	Description
_hjRecordingEnabled	User session	Hotjar cookie. This cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.
_lfa	2 years	Leadfeeder cookie. Used to store and track audience reach and expires in 2 years.
_lfa_expiry	persistent	Leadfeeder cookie. : Contains the expiry-date for the cookie with corresponding name
_lfa_test_cookie_stored	1 day	Leadfeeder cookie. Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
ads/ga-audiences	User session	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
badges-message	Persistent	Disqus cookie. Used for comments functionality
bcookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
bscookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
UserMatchHistory	29 days	Linkedin cookie. Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.