Amplitude-TypeScript icon indicating copy to clipboard operation
Amplitude-TypeScript copied to clipboard
verified publisher icon amplitude

fix(analytics-core): cookie storage should delete duplicate

Open Mercy811 opened this issue 8 months ago • 3 comments

Summary

AMP-125768

The SDK, by default, creates cookies using a domain with a leading dot (e.g., .amplitude.com). However, some customers have reported cases where two cookies with the same name exist—one with a leading dot in the domain and one without. See an example screenshot in the linked ticket comment.

This PR fix the issue by detecting and deleting the duplicate cookie that does not have the leading dot, ensuring only one cookie remains.

Note: We use document.cookie here, which does not expose domain information. While the CookieStore API would provide full access to domain-specific cookies, it is not yet widely supported across modern browsers.

Checklist

  • [ ] Does your PR title have the correct title format?
  • Does your PR have a breaking change?:

Mercy811 avatar Mar 28 '25 19:03 Mercy811

Do we have a good understanding of how the cookies with different domains were created? Is it due to the customer setting certain options in the SDK?

Also are there cases where we want to set a different value on a subdomain subdomain1.example.com that overrides the wildcard one at .example.com?

Dogfalo avatar Mar 28 '25 19:03 Dogfalo

Do we have a good understanding of how the cookies with different domains were created? Is it due to the customer setting certain options in the SDK?

Also are there cases where we want to set a different value on a subdomain subdomain1.example.com that overrides the wildcard one at .example.com?

Yea - it would be good to understand what causes this in the first place.

izaaz avatar Mar 28 '25 19:03 izaaz

Do we have a good understanding of how the cookies with different domains were created? Is it due to the customer setting certain options in the SDK? Also are there cases where we want to set a different value on a subdomain subdomain1.example.com that overrides the wildcard one at .example.com?

Yea - it would be good to understand what causes this in the first place.

We haven't find out why the cookie without leading dot is created for customers use default cookie options. The customer does not use experiment (looked up in datadog and admin-v2 page). This it's also ruled out that the cookie is set by experiment server-side sdk. They claimed they don't create the cookie either and have always used the default cookie options. By default, the sdk creates cookies on the top level domain so .example.com will always be used over subdomain1.example.com unless it's specified in config.

Mercy811 avatar Mar 28 '25 21:03 Mercy811