Safari 1st Party Cookies

As part of Apple’s ITP 2.2 changes, 1st party (1p) cookies in Safari set by Control Tag will expire after 1 day. If you do not revisit a site within 1 day to keep your cookie refreshed, the cookie will expire and you will get a new identifier the next time you visit the site. This will negatively impact our ability to track users.

See Firefox 1st Party Cookies
Changes to Google Same-Site Settings
for related content.

First Party Cookie Tracking

You can use Audience Studio to better manage first-party cookie tracking on your site from Safari, to comply with Safari’s new policies for handling first- and third-party cookie tracking. We removed and deprecated support for fingerprint tracking on Safari. Instead, you can replace fingerprint tracking with Audience Studio first-party cookie tracking, or alternately, use your existing first-party cookies.

To enable first-party cookie tracking for Safari, contact Audience Studio Support. Tracking is subject to the expiry restriction imposed by Safari on client-side cookies.

Site Managed First Party Cookies

Sites can avoid the problem of rapidly-expiring cookies by having their web servers instruct browsers to set a cookie automatically, versus setting the cookie via the browser. With this approach, when a user navigates to the client site, it will issue an HTTP request for the page content. The server response will include include a “Set-Cookie” HTTP header. Safari will read this header and set a cookie which is not subject to the 1-day expiration of browser-based cookies such as those set by the Audience Studio Control Tag.

You can configure the Control Tag to read this 1p cookie and use its value as a device identifier. This technique, known as Site-Managed 1p Cookies, provides significantly higher accuracy counts due to the longer expiry times associated with these server-side configured cookies.


  • Sites should respond to content requests with Set-Cookie response header
  • Cookie name can be anything as long as it is the same across your sites and instances. Our recommendation is to name it kppid 
  • Cookie value should be 11-character alphanumeric (a-z, 0-9, _)
  • Cookies expiry can be set per client's lookback needs and we recommend setting it to 6 months
  • Cookie domain should be the site's domain e.g., domain = "" on
  • Control Tag should be configured to read the 1p cookie and use the value as an identifier


Server-side cookies can be managed in all popular webserver frameworks. The exact technique varies according to the stack you are using.

Mozilla’s developer documentation [2] provides reference material on the response header itself.ere is an example HTTP “Set-Cookie” response header:

Set-Cookie: kppid=F1riopnS_3f; Expires=Tue, 29-Oct-19 13:26:44 GMT; Max-Age=15552000;; Path=/

More Information

Set Cookie via API

Salesforce's Cookie Policy

Expiring Cookies

Third Party Providers with First Party Cookies

Have more questions? Submit a request


Please sign in to leave a comment.