🐛 Regenerate anonymousId when session cookie is altered without preserving aid (#4203)

thomas-lebeau · web-flow · commit 37e7fa9835a8 · 2026-02-18T16:55:37.000+01:00
diff --git a/packages/core/src/domain/session/sessionStore.ts b/packages/core/src/domain/session/sessionStore.ts
@@ -230,6 +230,9 @@ export function startSessionStore<TrackingType extends string>(
       sessionState.id = generateUUID()
       sessionState.created = String(dateNow())
     }
+    if (configuration.trackAnonymousUser && !sessionState.anonymousId) {
+      sessionState.anonymousId = generateUUID()
+    }
   }
 
   function hasSessionInCache() {
diff --git a/test/e2e/scenario/rum/sessions.scenario.ts b/test/e2e/scenario/rum/sessions.scenario.ts
@@ -1,5 +1,7 @@
+import { SESSION_STORE_KEY, SESSION_TIME_OUT_DELAY } from '@datadog/browser-core'
 import { RecordType } from '@datadog/browser-rum/src/types'
 import { test, expect } from '@playwright/test'
+import { setCookie } from '../../lib/helpers/browser'
 import { expireSession, findSessionCookie, renewSession } from '../../lib/helpers/session'
 import { createTest, waitForRequests } from '../../lib/framework'
 
@@ -165,6 +167,39 @@ test.describe('rum sessions', () => {
       })
   })
 
+  test.describe('session cookie alteration', () => {
+    createTest('after cookie is altered to isExpired, a user interaction starts a new session with a new anonymous id')
+      .withRum()
+      .run(async ({ flushEvents, browserContext, page }) => {
+        const initialCookie = await findSessionCookie(browserContext)
+        const initialSessionId = initialCookie?.id
+        const initialAid = initialCookie?.aid
+
+        expect(initialSessionId).toBeDefined()
+        expect(initialAid).toBeDefined()
+
+        // Simulate cookie being altered to isExpired=1 without preserving aid
+        await setCookie(page, SESSION_STORE_KEY, 'isExpired=1', SESSION_TIME_OUT_DELAY)
+
+        // Cookies are cached for 1s, wait until the cache expires
+        await page.waitForTimeout(1100)
+
+        await page.locator('html').click()
+
+        // The session is not created right away, let's wait until we see a cookie
+        await page.waitForTimeout(1000)
+
+        await flushEvents()
+
+        const newCookie = await findSessionCookie(browserContext)
+        expect(newCookie?.isExpired).not.toEqual('1')
+        expect(newCookie?.id).toBeDefined()
+        expect(newCookie?.id).not.toEqual(initialSessionId)
+        expect(newCookie?.aid).toBeDefined()
+        expect(newCookie?.aid).not.toEqual(initialAid)
+      })
+  })
+
   test.describe('third party cookie clearing', () => {
     createTest('after a 3rd party clears the cookies, do not restart a session on user interaction')
       .withRum()

Original file line number	Diff line number	Diff line change
`@@ -230,6 +230,9 @@ export function startSessionStore<TrackingType extends string>(`
`230`	`230`	`sessionState.id = generateUUID()`
`231`	`231`	`sessionState.created = String(dateNow())`
`232`	`232`	`}`
	`233`	`+ if (configuration.trackAnonymousUser && !sessionState.anonymousId) {`
	`234`	`+ sessionState.anonymousId = generateUUID()`
	`235`	`+ }`
`233`	`236`	`}`
`234`	`237`
`235`	`238`	`function hasSessionInCache() {`