First Party Cookie Confusion
Matt Hopkins posted in Visitor Segmentation, Web Analytics on August 1st, 2007
Cookies in their own right are really simple little things, the idea being that every time you view a web page on a website, you will be given a code to store on your local PC. The next time you come back to that site it can read your stored cookie and so count you as the same visitor who has returned.
So where is the confusion?
Well, the confusion comes when you start talking about first party and third party cookies and how they are treated differently by web browsers.
A first party cookie is a cookie that is given to the website visitor by the same domain (www.domain.com) that the web page resides on. Whereas, a third party cookie is one that is issued to the website visitor by a web server that is not on the same domain as the website. I’ve made a diagram below which shows how the first party cookie and third party cookie differ.
So when might a third party cookie be used?
Generally third party cookies are issued when are third party is interested in tracking your website visitor traffic, this could either be by a banner advertiser who places a number of banners on your site and wants to know how many times it has been requested, or it could be a third party hosted analytics vendor that issues a page tag for each of your pages that forces a cookie on your site.
In the last situation, where an analytics vendor issues a cookie through a page tag the cookie is seen as a third party cookie because it is being generated by the analytics server which is having the tracking 1×1 invisible gif image requested from it by the page tag. It is however possible to have an analytics cookie issued by the third party vendor but still look like a first party cookie.
There are 2 ways of achieving this:-
- Create a DNS alias for third party analytics server so that it looks like it is actually part of your domain and so anything issued by this server because 1st party (including cookies)
- Have the Javascript page tag create a cookie at run-time and then pass the cookie value back to the analytics server so the cookie is created within the page and so becomes a 1st party cookie.
The obvious advantage of the DNS alias option is that you can have a smaller page tag which is quicker to load, however the cookie making page tag has an advantage over the DNS alias because no structural changes need to be made to the site’s infrastructure and the implementation of the tag should be more straight forward.
So, in the end you want to aim for a first party cookie as these are typically blocked by fewer browsers than third party cookies. To give you an example, I did a test a few weeks ago using on a site using a third party cookie and measured that over 70% of the cookies were being blocked. After a similar test using first party cookies only 30% were being blocked. This shows that although cookies aren’t as accurate as we might all like, all cookies are not created equal.
January 29th, 2012 at 7:59 pm
Hi Matt, just to make it clearer, when you say “given to the website visitor by the same domain (www.domain.com)”, you should really say “domain.com”. That is, without the “www”. Note that most of the time, cookies are set to be valid on a whole domain, but they could be restricted to a specific host.
You could consider the case where siteA.domain.com and siteB.domain.com would share the same tracking cookie.
To make it even more complex, consider the case where you have corpsite.com, brandA.com, brandB.com… You might not want to set up DNS/JavaScript for all of those, and you still don’t want a true 3rd party cookie. In such situations, I have relied on a “friendly 3rd party cookie” (something like stats.corpsite.com) in a way similar to what you describe.
January 29th, 2012 at 8:00 pm
Hi Matt,
WebTrends handles this situation pretty well, sub-domains and cross-domains and all. They even pretend that all that can be done throught a 1st-party cookie scheme. True, the script is pretty long though.
what kind of test do you do in order to check rejection?