Safari ITP update: is it possible to have cookies that last longer than 7 days in 2023?
Safari has made its next move in the fight against cookies. If you have changed to using a server-side tag manager you are most likely affected by the most recent update. Read on to find out what you can do.
What are cookies?
Browser cookies are small text files that are stored on your computer or device by a website that you visit. Cookies are designed to remember your preferences and other information about your visit to the website, such as your username and password, items in your shopping cart, or the pages you visited.
First-party vs third-party cookies
First-party cookies are cookies that are set by the website that you are visiting. They are often used to remember your preferences and make your browsing experience more convenient. For example, a first-party cookie may remember your login information so that you don't have to enter it every time you visit the website.
First-party cookies work the way consumers expect more than third-party cookies, which are set for a different domain to the one being visited. This is because first-party cookies are set by the website that you have chosen to visit and are generally used for purposes that are related to your interaction with that website.
First party cookies can be broken down into two distinct categories, client-set and server-set. First-party client-set cookies are created by the trackers in your browser using Javascript. Examples of these are cookies created by Google Analytics, Segment, and Snowplow’s domain_userid (_sp_id). First-party server-set cookies are created by the HTTP headers returned by a server under the same domain as the website (e.g. www.mysite.com). This is Snowplow’s network_userid (sp).
A quick recap on Safari ITP
Apple's Safari web browser has implemented a feature called Intelligent Tracking Prevention (ITP) that restricts the use of all browser storage including cookies. This feature was introduced to protect the privacy of Safari users and limit the ability of advertisers and other entities to track their online activity.
ITP has also affected the ability to solve challenges that are unrelated to third-party advertising. For example, it greatly limits the effectiveness of tracking a customer journey where users are not regularly logging into your website (even when they consent to cookies). Without a strong understanding of your customers, downstream use cases including marketing attribution, product analytics and personalised recommendations are difficult to achieve.
At Snowplow we have covered ITP in detail when it first came out and the major changes as third party tools worked around the restrictions.
Up to March 2023 we could summarise the Safari controls in place as the following
- Third-party cookies are blocked
- First-party client-set cookies + items in browser storage are erased if you don’t interact with the website for 7 days. (All your tracking tools typically sit here)
- And, up to now, first-party cookies set with the Set-Cookie HTTP response header were not impacted by ITP, and did not have restrictions placed on their expiration, unless they were using CNAME cloaking (proper Snowplow setups were unaffected!)
Note: Firefox and other browsers have deployed similar initiatives
Safari’s new ITP restrictions (16.4) - April 2023
This is Simo Ahava's recent Linkedin post on the topic:
Now, as of Safari 16.4 released in April 2023, Safari sets the lifetime of server-set first-party cookies to a maximum of 7 days in the following cases:
- The server setting the cookie is behind a CNAME that resolves (at any point) to a host that is third-party to the website the user is currently browsing.
- The server setting the cookie is set with A/AAAA records that resolve to an IP address (IP4 or IP6) where the first half of the address does not match the first half of the IP address for the server on the website the user is currently browsing. (e.g. 203.52.1.2 and 203.52.56.22 are okay, 201.55.1.2 is not).
This change wasn’t included in the release notes for Safari 16.4 but we’ve confirmed what Simo Ahava has announced and found the change in WebKit where this was implemented.
The impact of this is that everyone that has deployed a server-side tag manager such as GTM Server-side will now have their cookies limited for Safari users if the IP addresses don’t meet these rules.
This may affect your Snowplow deployment too. To verify this, you can check the server-set cookie ‘sp’ in Safari 16.4 and see if it’s limited to one week. If you are affected, fear not! Let’s make the IP address of the collector and website match.
Note: ‘_sp_id’ is a client-set first-party cookie (Same as Google, Segment, Facebook etc.). It appears to expire in a year or two, but as we discussed above, Safari will delete them if a user isn’t active on your site for 7 days. Watch out!
How to extend the length of your tracking with Snowplow
The easiest way to still achieve Snowplow’s long-lasting identification cookies is to set up a cloud CDN as a proxy server in front of both the Snowplow collector and the web application. Popular solutions to achieve this on a global scale are:
- CloudFront
- CloudFlare
- Akamai
- Fastly
For smaller scale applications you could also use an open source web proxy like Nginx, haproxy and envoy, or use one of the cloud native load balancers.
With this change you can continue to use the ‘sp’ cookie (which is referred to as ‘network_userid’ in the data warehouse) for strong user stitching. This may also work in front of a server-side tag manager setup, but make sure that you’re creating server-set cookies, not client-set ones.
Snowplow has now launched the Snowplow ID service to make this easier and meet the needs of more complex environments. If the above method isn’t ideal for your situation, please contact us to discuss further.
How to keep up to date
If you are as focused as me on the changes in this space and want to keep up to date, sign up to our blog at Snowplow, follow Simo Ahava and bookmark https://www.cookiestatus.com/.