dfsavecart — Magic link cart save
Installation, configuration and usage of the magic link cart save module for PrestaShop 8 and 9.
Overview
dfsavecart adds a “Keep for later” feature to the cart page of your PrestaShop 8 or 9 store. The visitor, logged in or guest, enters their email address and receives a secure link (“magic link”) that restores their exact cart — same products, same quantities — on any device, at any time within the configured validity period.
The module is non-intrusive: it does not affect the order funnel, the checkout, or other modules. It works with PrestaShop’s native email system (and therefore with your existing SMTP).
Requirements
- PrestaShop 8.0.x to 9.x
- PHP 8.1 or higher
- MySQL 5.7+ or MariaDB 10.3+
- Working email sending (Advanced Parameters > E-mail — test sending before installing the module)
Installation
- Download the
dfsavecart.zipfile from your DataFirefly account. - In the PrestaShop back office, go to Modules > Module Manager.
- Click Upload a module and select the ZIP.
- PrestaShop installs the module automatically: the
ps_df_savecarttable is created and the hooks are registered. - Click Configure to access the settings.
No class or controller overrides are installed: uninstallation is clean and residue-free (the table and configuration keys are removed).
Configuration
All settings are on a single page: Modules > Module Manager > dfsavecart > Configure.
Main settings
- Enable the module — master switch. When disabled, the block disappears from the front office without uninstalling.
- Button position — Cart footer (recommended, hook
displayShoppingCartFooter), Inside cart (hookdisplayShoppingCart) or Both. The choice depends on your theme: check the rendering on the cart page after changing it. - Link validity duration — from 1 to 365 days, 30 by default. After that, the link expires and the record is purged.
Security and anti-spam
- Limit per email / day — maximum number of sends for the same address over a rolling 24 h window (10 by default). Set 0 to disable. The counter relies on a salted hash of the email: the address is not stored in clear text for this function.
- Single-use link — when enabled, the link becomes invalid after the first restoration. Useful for confidential carts (B2B, quotes).
Restoration behavior
- Clear the current cart before restoring — enabled by default. When disabled, the link’s products are added to the current cart (cumulative).
GDPR and email
- Request GDPR consent — displays a mandatory checkbox before sending (enabled by default, recommended).
- Send BCC to the merchant — adds the shop’s contact email as BCC on every send, for internal tracking.
- Email subject (per language) — customizable for each active shop language. Available variables:
{shop_name}and{firstname}.
How it works for the customer
- The customer adds products to their cart and opens the cart page.
- They see the “Keep this cart for later” block with an email field (prefilled if logged in).
- They enter their email, tick the consent box if required, and click Send the link.
- They receive an email containing a cart summary (products, quantities, estimated total), the expiry date and a Restore my cart button.
- Clicking the button restores the exact cart and redirects to the cart page with a confirmation message.
Edge cases at restoration
- Disabled or deleted product — the line is skipped and the customer is informed by a message listing unavailable products.
- Insufficient stock — the quantity is adjusted to the maximum available, with a message flagging the adjustment.
- Expired or already used link (single-use mode) — a sober error page is displayed, with links to the current cart and the homepage.
- Language and currency — those of the original cart are restored.
Emails
HTML and text templates are provided in French, English, Spanish and German in modules/dfsavecart/mails/{iso}/savecart.html and savecart.txt. The language used is the cart’s language at save time.
Variables available in the templates: {firstname}, {shop_name}, {restore_link}, {cart_items_html}, {cart_items_txt}, {cart_total}, {expiry_date}.
To customize templates durably, duplicate them into your theme’s mails folder rather than editing the module’s copies: those would be overwritten on update.
Security
- 256-bit token — generated by
random_bytes(32), PHP’s cryptographically secure generator. 64 hexadecimal characters in the URL. - Hash storage — only the SHA-256 fingerprint of the token is stored in the database. If the database is compromised, no link can be reconstructed.
- CSRF — the AJAX save endpoint verifies the PrestaShop session token.
- Strict validation — the token format is checked server-side (
[a-f0-9]{64}) before any database query.
GDPR
- Configurable explicit consent before sending the email.
- For the anti-spam limit, the email is not kept in clear text: only a salted hash (using the shop’s secret key) is used.
- Expired records are deleted automatically (purge) — see next section.
- No data is transmitted to any third-party service: everything stays in your PrestaShop database.
- For a customer erasure request, delete their rows in the
ps_df_savecarttable (emailcolumn).
Purging expired links
Three options, from simplest to most automated:
- Manual button — on the module’s configuration page, “Purge expired entries”.
- CronJobs module — install PrestaShop’s free CronJobs module: the module’s
actionCronJobhook is called automatically and triggers the purge. - System crontab — schedule a regular call to your shop’s cron according to your server setup.
Statistics
The configuration page displays four real-time counters: total saved, active (not expired), expired (awaiting purge) and restored (links used at least once). The restored / total ratio gives you the feature’s conversion rate.
Multistore
The module is multistore-compatible: each save records its source shop ID, which is used during restoration. Configuration follows the standard PrestaShop shop context.
Troubleshooting
The email does not arrive
- Check the shop’s global email sending: Advanced Parameters > E-mail > Test sending.
- Check the recipient’s spam folder.
- Check the logs: Advanced Parameters > Logs (module errors are prefixed
[dfsavecart]).
The block does not appear on the cart page
- Check that the module is enabled in its configuration.
- Check that the cart contains at least one product (the block is hidden on empty carts).
- Check the chosen position: some themes do not implement the
displayShoppingCartFooterhook — switch to “Inside cart” or “Both”. - Clear the cache: Advanced Parameters > Performance > Clear cache.
“Invalid security token” message
- The cart page stayed open too long and the session expired: refresh the page and try again.
“Too many requests for this address” message
- The daily anti-spam limit has been reached for this email. Raise the limit in the configuration or wait 24 h.
Uninstallation
Uninstalling removes the ps_df_savecart table (all saved carts are lost) and all configuration keys. No residue is left in the database or on disk.