?> Snowplow's New ID Service Support: Avoid the impact of ITP on cookie expiration | Snowplow
Snowplow Outperforms GA4 in GigaOm Comparative Evaluation.
Read More
  1. Home
  2. Blog
  3. Releases
Product features, Releases

Snowplow’s New ID Service Support: Avoid the impact of ITP on cookie expiration

Jump to

With the growing impact of ITP and recent changes to limit server-set first-party cookies lifetime as part of Safari 16.4. Snowplow has released support for an ‘ID Service’ as part of its recent tracker update. The use of an ‘ID Service’ alongside your tracker can extend the lifetime of a cookie up to 400 days and provide greater insight into your customer journey across your digital platforms to build a more accurate and reliable analysis. 

A quick recap on Safari Intelligent Tracking Prevention (ITP)

ITP was released as a privacy feature by Apple in September 2017 with Safari 12 and iOS 11. It was designed to help protect users’ privacy, limiting the ability of advertisers and other entities to track their online activity. ITP was developed by Webkit, the open-source web browser engine that powers the Safari browser. 

The first interaction of ITP (ITP 1.0) was designed to reduce cross-site tracking by further targeting cookies set by third parties that the user did not interact with and since has had an increasing impact on first-party cookies. We have covered all of these changes extensively since they were first introduced as well as the major updates (2.1-2.3) but here is a quick summary of the changes since March 2023:

  • Third-party cookies are blocked
  • First-party client-set cookies and items in browser storage are erased if you don’t interact with the website for 7 days. (All your tracking tools typically sit here)
  • And, up to now, first-party cookies set with the Set-Cookie HTTP response header were not impacted by ITP, and did not have restrictions placed on their expiration, unless they were using CNAME cloaking (proper Snowplow setups were unaffected!)

These changes left a significant impact. Marketing and ad tech providers now have a more limited ability to identify returning users, negatively impacting many downstream applications, including marketing attribution and product analytics, to name a few.

What changes did Apple introduce in Safari 16.4 and what is the impact?

As part of Safari 16.4 released in April 2023, Safari sets the lifetime of server-set first-party cookies to a maximum of 7 days in the following cases:

  • The server setting the cookie is behind a CNAME that resolves (at any point) to a host that is third-party to the website the user is currently browsing.
  • The server setting the cookie is set with A/AAAA records that resolve to an IP address (IP4 or IP6) where the first half of the address does not match the first half of the IP address for the server on the website the user is currently browsing. (e.g. and are okay, is not).

This change wasn’t included in the release notes for Safari 16.4 but we’ve confirmed these findings in WebKit’s GitHub.

As with previous interactions of ITP, these changes can have a significant impact on your ability to track the customer journey and build accurate analysis and other applications.  

If you want to stay up to date with the latest changes in tracking protection mechanisms by major browsers check out: https://www.cookiestatus.com/.

What is an ID Service?

To help prolong the cookie’s lifetime Snowplow has introduced the support of an ‘ID Service’ alongside its latest tracker release, version 3.15 of the browser and JavaScript tracker. An ‘ID Service’ allows for the generation of a unique browser identifier, enhancing the Snowplow tracking capabilities in browsers where ITP is enabled. 

An ‘ID service’ needs to be deployed on and executed from the same IP space that serves the main web document of your application such as your web application system or Content Delivery Network (CDN) in front of your applications. 

The responsibilities of this ID service include: 

  • Creating a unique identifier (UUID v4) for this browser, set it in a cookie and return it in a Set-Cookie response header on a domain accessible by the service at all times.
  • Increase the expiry for the cookie used as the network_userid identifier (by default, a cookie named sp, configured via collector.config.name) which should have the same value as the first cookie.

Deploying an ‘ID Service’ alongside your tracker prolongs the lifespan of the cookies to up to 400 days. Circumventing the most recent ITP updates and providing greater visibility into your customer journey.

To see what logic an ID service code should include and example code snippets please see our documentation

How do you deploy an ID service? 

There are a number of ways the ID Service can be deployed depending on which best fits your business:  

  • An API endpoint that is part of the main web application.
  • A function running in an edge worker. Almost all modern CDNs allow the addition of ‘middleware’ code which runs on requests at edge nodes in front of the client’s application domain.
  • A custom middleware based on the customer’s framework. E.g. ExpressJS middleware, Next.js middleware, Play custom action etc. which can run on every document request.
  • A low-footprint application with a single endpoint. A Go web server or something along these lines.

Snowplow ID Service has several flexible deployment options

Do I need to make any changes to my existing tracking?

No, your existing tracking will stay exactly the same. When the ID service has been deployed on a system with the same resolved IP as the main document, the tracker can then be configured to orchestrate the required ID service API calls.

This happens using the `idService` configuration parameter introduced in v3.15 of the JavaScript and/or browser tracker.

window.snowplow("newTracker", "sp", "{{collector_url_here}}", {
  /* ...Rest of the tracker options */
  idService: "/id-service-endpoint"

You can utilise the ID service without making any changes or updates to the JavaScript tracker. The only condition is that before any tracking is initialised on the page, the ID service endpoint should respond first by setting the identifiers mentioned in the business logic explanation. But it is recommended that you update to the latest version that internally handles the ID service call for you, in addition to, getting all of the latest bug fixes and new features.

Find out more

If you want to learn more about this feature please visit our documentation or book a demo with one of our team.

More about
the author

Rob Edwards
Rob Edwards

Product Marketing Lead at Snowplow

View author

Ready to start creating rich, first-party data?

Image of the Snowplow app UI