Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cevoid.com/llms.txt

Use this file to discover all available pages before exploring further.

Use this page when you need the exact rules for Cevoid session creation and session_id attachment. If you only want the operational setup steps, use Session Tracking instead.

Short answer

The SDK only attempts to create a Cevoid session when both of these are true:
  1. enableSessionTracking is enabled
  2. The consent checks resolve to granted
If consent is denied, events can still be sent, but session_id is omitted. On a non-Shopify site with no GTM consent entry and no window.cevoidTrackingConsent value, the consent checks default to granted. The current Cevoid session cookie name is ca_session. cevoid_sid is the legacy cookie name. The SDK will migrate an existing legacy cookie into ca_session and clean up the old cookie when possible. If your storefront requires cookie disclosures before analytics storage is enabled, document ca_session in your cookie policy before you turn on session tracking in production. When session tracking is enabled, the SDK checks up to three sources: If none of these sources are present on a non-Shopify site, the overall consent result defaults to granted.

Shopify Customer Privacy API

If Shopify is not present, this check defaults to granted. If Shopify is present, the SDK tries to load the consent-tracking-api feature and waits up to 5 seconds:
  • if the feature loads, it uses window.Shopify.customerPrivacy.userCanBeTracked()
  • if feature loading fails or times out, the Shopify check resolves to denied

GTM dataLayer

If window.dataLayer is missing or is not an array, this check defaults to granted. If a consent entry is present, the SDK reads analytics_storage from the first ['consent', ..., {...}] style entry:
  • analytics_storage === 'granted' means granted
  • any other value means denied

window.cevoidTrackingConsent

If this global is missing, this check defaults to granted. If it is present:
  • 'granted' means granted
  • any other value means denied
If consent resolves to granted, the SDK:
  • creates or refreshes ca_session
  • uses a 30-minute rolling expiry
  • attaches session_id to tracked events
Cookie attributes:
  • Name: ca_session
  • Path: /
  • SameSite: Lax
  • Domain: only set when you pass cookieDomain
If consent resolves to denied:
  • the SDK clears the Cevoid session state
  • the SDK does not create ca_session
  • tracked events can still be sent
  • those events do not include session_id

What happens when cookies cannot be written

If consent is granted but the browser blocks cookie writes, the SDK falls back to an in-memory session for the current page runtime. That fallback:
  • does not persist across full page reloads
  • still allows a session value to be attached during the current runtime
This fallback does not apply to denied consent. When enableSessionTracking is enabled, tracked events are deferred until consent resolution finishes. After consent resolves:
  • if granted, the SDK creates or refreshes the session and then sends the deferred events
  • if denied, the SDK sends the deferred events without session_id

Practical examples

Result:
  • consent defaults to granted
  • ca_session is created if session tracking is enabled

Shopify storefront where tracking is denied

Result:
  • no ca_session is created
  • events can still be sent without session_id

Site where cookies are blocked

Result:
  • no persistent ca_session
  • in-memory session fallback for the current runtime only