Details about cart-related cookies

Shopify Partner
11 0 5

Hello. I am working on a custom persistent-cart implementation. I have read this thread and this blog post.

Our approach is to maintain a cart (which also receives `carts/update` webhooks), in our own database, and to keep an association between a cart and a customer by overriding the `cart` cookie value with the id/token value stored in our database (up until Shopify expires that cart in their DB or the customer completes a checkout, at which point we'll update to using a new token).

However, I'd like any more details I can get on Shopify's use and modification of this cookie and the significance of the `cart_sig` and `cart_ts` cookies (`cart_ts` being the millisecond value of the UTC time the cart was created, I believe). Our basic implementation involves just overwriting the value of `cart` and then using the Storefront AJAX API to update the single cart (kept in sync in our DB). But I want to know if there's anything more anyone can tell me about manipulating these cookies, from a Shopify expert.


Shopify Partner
46 1 17

Did you ever figure out an answer to this? I'm looking at rolling my own simple persistent cart functionality for the store I'm working on, and I had the same idea to just swap out the cart token.

In looking at this, I did discover something slightly strange with the way that shopify handles carts when logging in and out of accounts. Carts don't seem to be tied to a particular customer—I can create a cart as a guest, then log into Account #1, then log out and log into Account #2, and the cart stays the same the entire time. Unless you erase the cart cookie, shopify just carries on using the same cart token no matter who you're logged in as.

Here's what I figured out about the cookies:

  • cart → cart id/token identifying the cart. There is no protection to this value, so if I snoop the value from someone's cart session, I can set my cart cookie to match and I will have access to their cart.
  • cart_ts → Unix timestamp of last update (in seconds)
  • cart_ver → version number that auto-increments with each change to the cart
  • cart_sig → appears to be an md5 hash of some part of the cart, I can't figure out what though. 

As far as I can tell, cart is the only cookie that you need to deal with if you want to sync carts between devices or even share the cart with someone else. Simply store the cart token somewhere you can retrieve it, such as a customer metafield or customer tag, and then when the person logs in somewhere else, you can retrieve this value and set the cart cookie to match. Once two devices share the same cookie, any updates to the cart will automatically show up on the other device. The one caveat I can think of is that if you allow people to shop as a guest (most stores do), you will need to somehow handle the case when a customer puts items into their cart before logging in. Fortunately for me, the store I'm currently working on is a special case, and requires people to be logged in before they can even view any items.