I have a site with some cookies issues where going to a non-www URL will set cookies that prevents customers from logging in. I have found other questions that refer to the cookies settings as the solution, but this isn't working for me. So…
exmaple.com/login requested -> cookie set for .example.com. This prevents logins.
www.exmaple.com/login requested -> cookie set for .www.example.com. This works.
I've tried settings the cookie path and cookie domain in the system config without any success. For now, I'm redirecting all non-www page request to the www URL to deal with this issue, but is there another way to do this on the Magento configuration-level instead of the web server?
We're using nginx, Redis, and on CE.
Best Answer
The big issue is that Magento expects the website host name part of the URL to be what is listed in your BaseURLs.
So for example, if you have set Magento to serve out the site as
www.example.comand someone comes in onexample.com, Magento creates a session and a cookie forexample.com, does a redirect to the BaseURLwww.example.comand creates a new session.The browser now has two cookies set and UX quickly goes downhill from there with cookie/session confusion shutting things down in weird ways.
Your best bet is to never let Magento get involved in this process. Use .htaccess rules or in your case, nginx rules to keep Magento in the dark and never see the non-BaseURL host name.
Set your cookie path/domain to match the choice made in your rules.
An added advantage also is that your customer "helpdesk" calls tend to go way down along with the misery of telling them how to delete cookies and history to attempt making the website function for them. Been there, done that, the teeshirt was no good and the experience no fun.