Cookies in pixel sandbox

sebastienpowell · June 10, 2025, 4:53pm

Hi there,

We’re using PostHog on our production site, which is built with Next.js. For checkout, users are redirected to Shopify’s hosted checkout at a URL that looks like https://shop.app/checkout/XXX.

To track conversions, we fire an event using the PostHog JS SDK inside a custom Shopify pixel, following the approach described here Shopify - Docs - PostHog.

That guide doesn’t mention cross-domain tracking, but this tutorial does:

“Tracking users across different domains, like posthog.com and hogflix.com, requires some extra work. You need to pass users’ distinct_id and session_id between PostHog initializations to ensure they are connected…”

It also clarifies that PostHog handles tracking automatically across subdomains but not across entirely different domains.

When inspecting the events fired by the pixel inside Posthog, it appears the domain for the URLs associated with the events are using a subdomain we have assigned to our storefront, rather than shop.app. My guess is that Shopify is somehow ‘masking’ the true domain for consistency or reporting purposes, but that the pixel executes in a sandboxed environment hosted at shop.app – meaning it wouldn’t have access to cookies set by PostHog on our main domain.

If that is correct, the implication is that the PostHog SDK in the checkout pixel cannot access the session cookie set by Posthog on our primary domain, and therefore we’d need to pass the session_id manually to maintain continuity across domains – as outlined in the cross-domain tracking guide.

Shopify’s documentation seems to support this (https://help.shopify.com/en/manual/promoting-marketing/pixels/overview):

“There are some limitations on what information can be accessed, because pixels run in a secure sandbox environment… These limitations might not be compatible with some third-party pixels.”

I just wanted to confirm whether this interpretation is accurate?

Thank you in advance.

watilo · June 12, 2025, 12:05am

You are correct that the code is executed on the subdomain of your store.

BUT… I believe if you’re identifying the user with their email address, the email will work as the identifier and you’ll be able to see the activity together. It will create a separate distinct ID for the user, but if you’re identifying with their email in both places, PostHog should be able to stitch them together.

sebastienpowell · June 12, 2025, 7:06am

Thanks @watilo for confirming!

You’re right that we can use the distinct_id — but the challenge is that users aren’t always logged in when browsing the main site. In those cases, PostHog assigns an auto-generated distinct_id to start tracking their session.

When the user moves to checkout, we can then use their email as the distinct_id. However, unless cookies are accessible across domains (which doesn’t appear to be the case here), there’s no reliable way to connect the events from the original session to what happens inside the Shopify sandbox.

To address this, we’re passing both the original distinct_id and session_id through as cart meta fields. This then allows us to bootstrap the PostHog instance in the sandbox with the correct context and ensure the data is properly linked.

Topic		Replies	Views
HELP: GTM/GA4 tracking from onsite 'Buy Button' through 'Purchase' with attribution preservation fail Web Pixels	1	112	December 18, 2024
Affiliate pixel not firing on conversion event Web Pixels	11	135	February 7, 2025
Trying to specify cookie path to add cookie to root domain Web Pixels	3	92	January 11, 2025
ShopPay and checkout events Web Pixels	15	581	November 15, 2024
Tracking custom events in post-purchase extension Extensions checkout-ui-ext	0	15	June 9, 2025

Cookies in pixel sandbox

Related topics