WooCommerce Analytics: Deduplicate product_checkout events

[chihsuan]

Related to WOOA7S-929

Problem

The product_checkout event currently fires every time the checkout page loads, causing duplicate events on page refresh. This is inconsistent with the product_purchase event, which only fires on the final purchase. Since two events are often analyzed together, this inconsistency can lead to misleading insights.

Current behavior:

• User visits checkout → event fires ✓
• User refreshes page → event fires again ✗ (duplicate)
• User refreshes again → event fires again ✗ (duplicate)

Expected behavior:

• User visits checkout → event fires ✓
• User refreshes page → no event (same cart, same session)
• User modifies cart → event fires again ✓ (cart changed)

Proposed changes:

• Deduplicate product_checkout events using WC Session storage to track if checkout has already been recorded for the current cart state
• Fire product_checkout PHP-side via record_event() for consistency with product_purchase event (both now fire server-side)
• Reset tracking state automatically when cart changes (add/remove items, quantity updates) via WooCommerce hooks
• Include JS session ID tracking for sessionTracking feature support - when a new JS session starts, events fire again to capture the new session

Technical approach

1. Store a wca_checkout_tracked flag in WC Session when product_checkout fires
2. On subsequent checkout page loads, check if flag is set - if so, skip firing events
3. Hook into cart modification actions to reset the flag when cart changes
4. Optionally track JS session ID to detect session changes (when ClickHouse/sessionTracking is enabled)

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

No, this PR does not change what data we track. It reduces duplicate events while preserving meaningful tracking:

• Events still fire on first checkout page visit
• Events still fire when cart changes (add/remove/quantity update)
• Events still fire when JS session changes (if sessionTracking is enabled)

Testing instructions:

1. Set up a WooCommerce store with Jetpack connected and WooCommerce Analytics enabled
2. Add the following code snippet to your theme's functions.php or use a code snippet plugin:

add_filter( 'jetpack_woocommerce_analytics_event_props', function( $event_properties, $event_name ) {
    error_log( 'Tracks event: ' . $event_name );
    return $event_properties;
}, 10, 2 );

3. Add a product to cart
4. Go to checkout page - product_checkout event should fire (check debug.log)
5. Refresh checkout page - event should NOT fire again
6. Go back to cart, change quantity, return to checkout - event SHOULD fire again
7. Go back to cart, add another product, return to checkout - event SHOULD fire again
8. Change woocommerceanalytics_session cookie session id value (simulate new session)
9. Go to checkout page - event SHOULD fire again

Scenario	Expected
First checkout page load	Events fire for each item
Page refresh (same cart, same session)	No events fire
Add/remove item, return to checkout	Events fire again
Change quantity, return to checkout	Events fire again
JS session expires (if sessionTracking enabled)	Events fire again

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/deduplicate-product-checkout-event branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack fix/deduplicate-product-checkout-event

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  
• ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
3. You can use GitHub's Reviewers functionality to request a review.
4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

[Copilot]

Pull request overview

This PR implements deduplication for product_checkout events to prevent them from firing on every page refresh during a checkout session. The changes introduce session-based tracking that fires events once per cart state and optionally tracks JS session changes when ClickHouse is enabled.

Key changes:

• Adds WC Session-based deduplication to track checkout events once per cart state
• Implements JS session ID tracking for sessionTracking feature support
• Automatically resets tracking state when cart changes (add/remove items, quantity updates)

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
projects/packages/woocommerce-analytics/src/class-universal.php	Adds deduplication logic with should_track_checkout, mark_checkout_tracked, and reset_checkout_tracking_state methods; updates checkout_process to fire events via record_event() with session-based checks
projects/packages/woocommerce-analytics/src/class-woo-analytics-trait.php	Adds get_js_session_id() method and JS_SESSION_COOKIE_NAME constant to support JS session tracking
projects/packages/woocommerce-analytics/tests/php/mocks/woocommerce-functions.php	Adds mock WC instance management for testing session functionality
projects/packages/woocommerce-analytics/tests/php/mocks/class-wc-session.php	Introduces mock WC_Session class for testing session storage
projects/packages/woocommerce-analytics/tests/php/bootstrap.php	Includes new WC_Session mock in test bootstrap
projects/packages/woocommerce-analytics/tests/php/Universal_Test.php	Adds tests for reset_checkout_tracking_state and validates session key constants
projects/packages/woocommerce-analytics/changelog/fix-deduplicate-product-checkout-event	Documents the change as a patch-level modification

Comments suppressed due to low confidence (3)

projects/packages/woocommerce-analytics/src/class-woo-analytics-trait.php:342

• The get_js_session_id method lacks test coverage. Consider adding tests to verify: (1) returns null when ClickHouse is disabled, (2) returns null when cookie is not set, (3) correctly extracts session_id from valid cookie JSON, (4) handles invalid JSON gracefully. This is particularly important given the security and error-handling concerns around cookie parsing.

		}

		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- We're just reading and JSON-decoding the cookie.
		$cookie_value = wp_unslash( $_COOKIE[ $cookie_name ] );
		$cookie_data  = json_decode( urldecode( $cookie_value ), true );
		return $cookie_data['session_id'] ?? null;
	}

	/**
	 * Gather relevant product information
	 *
	 * @param \WC_Product $product product.
	 * @return array
	 */

projects/packages/woocommerce-analytics/src/class-woo-analytics-trait.php:341

• Reading the cookie value with wp_unslash is appropriate, but the phpcs ignore comment claims the input doesn't need sanitization because "we're just reading and JSON-decoding the cookie". However, the cookie value comes from the client and could be maliciously crafted. While json_decode is generally safe, the decoded value should be validated. Consider adding explicit type checking to ensure the decoded value is an array and that the session_id field, if present, is a string to prevent unexpected behavior from malicious input.

	 * Gather relevant product information
	 *
	 * @param \WC_Product $product product.
	 * @return array

projects/packages/woocommerce-analytics/src/class-woo-analytics-trait.php:341

• The get_js_session_id method does not validate that the JSON decoding was successful before attempting to access the array. If the cookie contains invalid JSON, json_decode returns null, and attempting to access $cookie_data['session_id'] will cause a PHP warning about trying to access an array offset on null. Add a check to ensure $cookie_data is an array before accessing its elements.

	 * @param \WC_Product $product product.
	 * @return array

[jp-launch-control]

Code Coverage Summary

Coverage changed in 2 files.

File	Coverage	Δ%	Δ Uncovered
projects/packages/woocommerce-analytics/src/class-universal.php	22/392 (5.61%)	4.78%	13 💔
projects/packages/woocommerce-analytics/src/class-woo-analytics-trait.php	7/275 (2.55%)	2.55%	1 ❤️‍🩹

Full summary · PHP report · JS report

_{If appropriate, add one of these labels to override the failing coverage check: Covered by non-unit tests Use to ignore the Code coverage requirement check when E2Es or other non-unit tests cover the code Coverage tests to be added later Use to ignore the Code coverage requirement check when tests will be added in a follow-up PR I don't care about code coverage for this PR Use this label to ignore the check for insufficient code coveage.}

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

[Copilot]

@chihsuan I've opened a new pull request, #46498, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.