First Party Cookie Confusion
Matt Hopkins posted in Web Analytics, Visitor Segmentation on August 1st, 2007
If you're new here, you may want to subscribe to my RSS feed. Also check out my Twitter profile. Thanks for visiting!
Cookies in their own right are really simple little things, the idea being that every time you view a web page on a website, you will be given a code to store on your local PC. The next time you come back to that site it can read your stored cookie and so count you as the same visitor who has returned.
So where is the confusion?
Well, the confusion comes when you start talking about first party and third party cookies and how they are treated differently by web browsers.
A first party cookie is a cookie that is given to the website visitor by the same domain (www.domain.com) that the web page resides on. Whereas, a third party cookie is one that is issued to the website visitor by a web server that is not on the same domain as the website. I’ve made a diagram below which shows how the first party cookie and third party cookie differ.
So when might a third party cookie be used?
Generally third party cookies are issued when are third party is interested in tracking your website visitor traffic, this could either be by a banner advertiser who places a number of banners on your site and wants to know how many times it has been requested, or it could be a third party hosted analytics vendor that issues a page tag for each of your pages that forces a cookie on your site.
In the last situation, where an analytics vendor issues a cookie through a page tag the cookie is seen as a third party cookie because it is being generated by the analytics server which is having the tracking 1×1 invisible gif image requested from it by the page tag. It is however possible to have an analytics cookie issued by the third party vendor but still look like a first party cookie.
There are 2 ways of achieving this:-
- Create a DNS alias for third party analytics server so that it looks like it is actually part of your domain and so anything issued by this server because 1st party (including cookies)
- Have the Javascript page tag create a cookie at run-time and then pass the cookie value back to the analytics server so the cookie is created within the page and so becomes a 1st party cookie.
The obvious advantage of the DNS alias option is that you can have a smaller page tag which is quicker to load, however the cookie making page tag has an advantage over the DNS alias because no structural changes need to be made to the site’s infrastructure and the implementation of the tag should be more straight forward.
So, in the end you want to aim for a first party cookie as these are typically blocked by fewer browsers than third party cookies. To give you an example, I did a test a few weeks ago using on a site using a third party cookie and measured that over 70% of the cookies were being blocked. After a similar test using first party cookies only 30% were being blocked. This shows that although cookies aren’t as accurate as we might all like, all cookies are not created equal.
August 1st, 2007 at 9:11 pm
Hi Matt, just to make it clearer, when you say “given to the website visitor by the same domain (www.domain.com)”, you should really say “domain.com”. That is, without the “www”. Note that most of the time, cookies are set to be valid on a whole domain, but they could be restricted to a specific host.
You could consider the case where siteA.domain.com and siteB.domain.com would share the same tracking cookie.
To make it even more complex, consider the case where you have corpsite.com, brandA.com, brandB.com… You might not want to set up DNS/JavaScript for all of those, and you still don’t want a true 3rd party cookie. In such situations, I have relied on a “friendly 3rd party cookie” (something like stats.corpsite.com) in a way similar to what you describe.
August 2nd, 2007 at 12:47 pm
Hi Matt,
WebTrends handles this situation pretty well, sub-domains and cross-domains and all. They even pretend that all that can be done throught a 1st-party cookie scheme. True, the script is pretty long though.
what kind of test do you do in order to check rejection?
August 2nd, 2007 at 5:38 pm
[…] here is how it works. Tags: This entry was posted on Thursday, August 2nd, 2007 at 9:35 am and is filed under […]
August 3rd, 2007 at 11:27 am
Stéphane,
Thanks for that clarification. In terms of friendly 3rd party cookies, if a browser is set to automaticaaly reject any 3rd party cookie then making this friendly will not help. Although I see your point about making the cookie seem less threatening if a user has to actively decide whether to accept the cookie or not.
Jacques,
I appreciate the input on how the Webtrends cookie scheme works, I think this is probably a similar way in which Google analytics works, amoung others.
The cookie rejection rate was checked quite simply by taking the visitor identification summary report for a month. The first month using 3rd party cookies and the second month using a 1st party cookie. Using this report I could see out of all visitors during that period, what percentage were identified using a cookie and how many were identified using IP+Useragent instead.
January 29th, 2008 at 5:08 pm
[…] web analytics use an invisible gif to track Web traffic, but WordPress.com uses a small smiley face gif on their pages. Some bloggers […]