Cookies are small files that websites create and store on users’ devices to store information that makes navigation easier and improves the user experience. In PrestaShop, cookies play an important role not only for user convenience but also for security. In this article, we will break down the cookie settings in the PrestaShop admin panel, which can be found under "Advanced Parameters" -> "Administration," and explain each option available in the "General" section.
Check IP Address in Cookies
Check the IP address from the cookie to avoid its theft.
This option allows the system to verify the IP address from which the cookie was created. It’s a security measure intended to prevent cookie theft and the use of stolen cookies for unauthorized access to a user’s account. When enabled, the system will compare the IP address for every request, adding an extra layer of security. This is useful in cases where cookies could be transferred to another user, which could lead to session hijacking.
When it may be useful: If you run an online store with high traffic or need strict security measures. However, keep in mind that this setting may cause accessibility issues for users whose IP addresses change frequently, such as those using mobile networks.
Cookie Lifetime on Store Pages
Specify the time (in hours) during which cookies on store pages will remain valid. After this time, the customer will need to log in again.
Default value: 480 hours (20 days).
This setting determines how long cookies will remain valid on the client side—for shoppers on your store. Once the set time expires, the customer will need to log in again to continue using their account. The cookie lifetime directly impacts user convenience: the longer the duration, the less often users will have to re-enter their login details.
When it may be useful: A shorter cookie lifetime can be justified when security is a top priority, minimizing the risk of abuse from long-lasting sessions. However, for most stores, the default value offers an optimal balance between convenience and security.
Cookie Lifetime in the Admin Panel
When you log in to your back office and stay logged in, the cookie duration defines the browser session. Set the number of hours here for which you want the session to remain active before logging in again.
Default value: 480 hours (20 days).
This setting is similar to the previous one but applies to administrators and employees working in the back office. The cookie duration determines how long you can stay logged in without needing to log in again. It helps secure the back office while maintaining convenience for administrators.
When it may be useful: As with customer cookies, a shorter lifetime may be preferable if back office security is a priority, though it could create inconveniences for frequent users of the admin panel.
Cookie SameSite
Allows you to declare if your cookie should be restricted to a first-party or same-site context.
SameSite is a setting that helps prevent Cross-Site Request Forgery (CSRF) attacks and makes cookie management more secure. It defines whether cookies can be used in cross-site requests or only within the site they were created on.
Available settings:
-
None
In this mode, cookies can be sent in any context, including cross-site requests. However, if this setting is used, cookies must be secured using the Secure flag, meaning they are only transmitted over HTTPS. This mode is useful if your site integrates third-party services (e.g., social media logins) that require cross-site requests. -
Lax
Cookies are sent only within the same site and only during navigation on the site itself, but they can be used in cross-site requests initiated by the user (e.g., clicking a link that leads to your site). This is the safest and most convenient mode, recommended for most stores. -
Strict
Cookies are sent only within the context of the same domain on which they were created. They cannot be used in cross-site requests, even if the user initiates the transition. This provides the highest level of security but may reduce site functionality, especially if you use third-party services or integrations.
When it may be useful: The choice of SameSite value depends on how your site uses cookies. If you don’t use cross-site integrations like third-party login services, it’s best to choose "Strict" for maximum protection. If you need more flexibility, "Lax" offers a reasonable compromise between security and functionality.
Conclusion
Configuring cookies in PrestaShop is an important aspect of managing user sessions and ensuring security for both customers and administrators. Each setting in the "General" section offers additional options to secure and improve the usability of both the customer-facing store and the admin panel.
If you have any questions about configuring cookies or want to share your experience, feel free to leave a comment—we’ll be happy to help!
