Blog

Snowplow's New Cookie Extension Service Support: Avoid the impact of ITP on cookie expiration

By
Rob Edwards
&
September 20, 2023
Share this post

Important Note: this article was updated April 2025 to reflect the new name of 'Cookie Extension Service', previously known as 'ID Service'.

With the growing impact of ITP and recent changes to limit server-set first-party cookies lifetime as part of Safari 16.4. Snowplow has released support for a ‘Cookie Extension Service’ as part of its recent tracker update. The use of a ‘Cookie Extension Service’ alongside your tracker can extend the lifetime of a cookie up to 400 days and provide greater insight into your customer journey across your digital platforms to build a more accurate and reliable analysis.

A quick recap on Safari Intelligent Tracking Prevention (ITP)

ITP was released as a privacy feature by Apple in September 2017 with Safari 12 and iOS 11. It was designed to help protect users' privacy, limiting the ability of advertisers and other entities to track their online activity. ITP was developed by Webkit, the open-source web browser engine that powers the Safari browser. 

The first interaction of ITP (ITP 1.0) was designed to reduce cross-site tracking by further targeting cookies set by third parties that the user did not interact with and since has had an increasing impact on first-party cookies. We have covered all of these changes extensively since they were first introduced as well as the major updates (2.1-2.3) but here is a quick summary of the changes since March 2023:

  • Third-party cookies are blocked
  • First-party client-set cookies and items in browser storage are erased if you don’t interact with the website for 7 days. (All your tracking tools typically sit here)
  • And, up to now, first-party cookies set with the Set-Cookie HTTP response header were not impacted by ITP, and did not have restrictions placed on their expiration, unless they were using CNAME cloaking (proper Snowplow setups were unaffected!)

These changes left a significant impact. Marketing and ad tech providers now have a more limited ability to identify returning users, negatively impacting  many downstream applications, including marketing attribution and product analytics, to name a few.

What changes did Apple introduce in Safari 16.4 and what is the impact?

As part of Safari 16.4 released in April 2023, Safari sets the lifetime of server-set first-party cookies to a maximum of 7 days in the following cases:

  • The server setting the cookie is behind a CNAME that resolves (at any point) to a host that is third-party to the website the user is currently browsing.
  • The server setting the cookie is set with A/AAAA records that resolve to an IP address (IP4 or IP6) where the first half of the address does not match the first half of the IP address for the server on the website the user is currently browsing. (e.g. 203.52.1.2 and 203.52.56.22 are okay, 201.55.1.2 is not).

This change wasn’t included in the release notes for Safari 16.4 but we’ve confirmed these findings in WebKit’s GitHub.

As with previous interactions of ITP, these changes can have a significant impact on your ability to track the customer journey and build accurate analysis and other applications.  

If you want to stay up to date with the latest changes in tracking protection mechanisms by major browsers check out: https://www.cookiestatus.com/.

What is a Cookie Extension Service?

To help prolong the cookie's lifetime Snowplow has introduced the support of a ‘Cookie Extension Service’ alongside its latest tracker release, version 3.15 of the browser and JavaScript tracker. A ‘Cookie Extension Service’ allows for the generation of a unique browser identifier, enhancing the Snowplow tracking capabilities in browsers where ITP is enabled. 

A ‘cookie extension service’ needs to be deployed on and executed from the same IP space that serves the main web document of your application such as your web application system or Content Delivery Network (CDN) in front of your applications. 

The responsibilities of this cookie extension service include:

  • Creating a unique identifier (UUID v4) for this browser, set it in a cookie and return it in a Set-Cookie response header on a domain accessible by the service at all times.
  • Increase the expiry for the cookie used as the network_userid identifier (by default, a cookie named sp, configured via collector.config.name) which should have the same value as the first cookie.

Deploying a ‘Cookie Extension Service’ alongside your tracker prolongs the lifespan of the cookies to up to 400 days. Circumventing the most recent ITP updates and providing greater visibility into your customer journey.

To see what logic a cookie extension service code should include and example code snippets please see our documentation

How do you deploy a cookie extension service? 

There are a number of ways the Cookie Extension Service can be deployed depending on which best fits your business:  

  • An API endpoint that is part of the main web application.
  • A function running in an edge worker. Almost all modern CDNs allow the addition of ‘middleware’ code which runs on requests at edge nodes in front of the client’s application domain.
  • A custom middleware based on the customer’s framework. E.g. ExpressJS middleware, Next.js middleware, Play custom action etc. which can run on every document request.
  • A low-footprint application with a single endpoint. A Go web server or something along these lines.

Do I need to make any changes to my existing tracking?

No, your existing tracking will stay exactly the same. When the Cookie Extension service has been deployed on a system with the same resolved IP as the main document, the tracker can then be configured to orchestrate the required cookie extension service API calls.

This happens using the `cookieExtensionService` configuration parameter introduced in v3.15 of the JavaScript and/or browser tracker.



window.snowplow("newTracker", "sp", "{{collector_url_here}}", {
 /* ...Rest of the tracker options */
 cookieExtensionService: "/cookie-extension-service-endpoint"
});


You can utilize the cookie extension service without making any changes or updates to the JavaScript tracker. The only condition is that before any tracking is initialized on the page, the cookie extension service endpoint should respond first by setting the identifiers mentioned in the business logic explanation. But it is recommended that you update to the latest version that internally handles the cookie extension service call for you, in addition to, getting all of the latest bug fixes and new features.

Find out more

If you want to learn more about this feature please visit our documentation or book a demo with one of our team.

Subscribe to our newsletter

Get the latest content to your inbox monthly.

Get Started

Accelerate data time-to-value and action your analytical & operational use cases with same-day pipeline deployments.