We use cookies. You have options. Cookies help us keep the site running smoothly and inform some of our advertising, but if you’d like to make adjustments, you can visit our Cookie Notice page for more information.
We’d like to use cookies on your device. Cookies help us keep the site running smoothly and inform some of our advertising, but how we use them is entirely up to you. Accept our recommended settings or customise them to your wishes.

How redirectors solve the third-party cookie problem

Recently, one of our competitors brought up a good point about third-party cookies and tracking.  They pointed out that some browsers, on iOS-based devices in particular, do not accept third-party cookies by default.  This makes tracking conversions on those devices challenging for tracking methods that rely on third-party cookies.  We completely agree with that part of their analysis.

However, they associated using an http redirect with third-party cookies and suggested that using redirect-based tracking is susceptible to the same pitfalls.  This indicates either a misunderstanding of what a third-party cookie is or a lack of understanding of how a redirect-based system should work.  We wanted to clear that up for them.

First, what is a third-party cookie?  A third-party cookie is a cookie from any domain other than the domain of the original page request.  So if the original request is for http://someretailer.com/index.html, and there is an image on the page from http://content-provider.net/image1.jpg, a cookie set by content-provider.net would be a third-party cookie.  One from http://content.someretailer.com/image2.jpg would not be a third-party cookie.  It is the same base domain as the original request, so it is considered a first-party cookie.

Who cares?  Privacy advocates care a great deal.  Feel free to skip to the next paragraph if you already understand why.  Web sites often use cookies to keep track of users so they can remember what they put in their cart, or display breadcrumbs, or otherwise keep track of an individual browser.  But since a cookie can be read any time the browser makes a request to the server it can be used to track the browser between multiple sites.  For example if retailer1.com and retailer2.com both use some-tracker.com tracking, the some-tracker.com cookie will allow some-tracker.com to track them on both sites and possibly correlate their behavior across both, as well as any other sites that use them.  This gets interesting when you consider how many sites use Google Analytics...

This concern has prompted the major browser makers to include an option to restrict third-party web servers from setting cookies for objects on pages that are not their own.

Section of Google Chrome options page where one controls third party cookie behavior

Mozilla Firefox options page where one controls third party cookie behavior

Internet Explorer Options page where one controls third party cookie behavior

What does this mean?  Any tracking solution that relies on setting third-party cookies will not be able to set a cookie (and therefore will not be able to track) browsers with that setting turned on.  This is true whether the request is done through a server-generated img tag or a JavaScript-generated element.

How does a redirector solve this?  When a browser requests a page from a redirector, the redirector is the first party.  So if a browser requests http://redirect.another-tracker.com/?goto=client1.com/index.html, the server could respond with "Actually go to http://client1.com/index.html, and by the way please set a cookie for another-tracker.com."  Since the request is to "another-tracker.com" and the cookie is for "another-tracker.com", the browser does not consider it third-party so it accepts the cookie (unless the browser has all cookies turned off, in which case they won't be able to add anything to their cart on the client site so won't be able to convert anyway).  When the customer reaches the conversion page that contains a tracking tag, the browser is then happy to present the existing cookie to the third-party server, although it would not accept any new cookies that server tried to set at that time.

As with any solution, there are some additional technical gotchas, so this method may not be something just any company can get to work.  But we have tested and verified it with many browsers, including Safari on iOS devices, so we are confident in our understanding of how best to track the performance of our customers' ads.

Join the Discussion